While organizations have been under threat from ransomware for years, the attack landscape has been very narrowly focused. Victims tended to have to manually enable the attack through some method, such as opening email attachments or downloading unverified software. Much of that has changed with the large-scale wannacry ransomware campaign friday may 12, 2017.
Tens of thousands of systems have already been compromised, and the attack is still ongoing. Along with our peers in the industry, Vertis technology solution’s cybersecurity team has been actively analyzing the malware and its threats.
What we found was that the ransomware does not have any truly novel tricks up its sleeve. It is standard ransomware that, upon execution, creates dozens of files in its current location and starts infecting the system. It targets a specific set of file extensions, over 150 of them, beginning with known office documents, which is also in line with many other known ransomware families. What is truly unique about it is its method of delivery, which is believed to be through the now-known eternalblue exploit.
While the number of incidents are extremely high, many are believed to be a result of poor security posture. Protection against the eternalblue exploit is fairly basic. The exploit targets servers with smb network sharing exposed to the internet, a feature that should be immediately considered for deactivation. Servers are targeted over the standard network ports for the smb service, all of which can be actively disabled in an organization’s firewalls.
More importantly, these exploits have been actively resolved by current, and ongoing, patches released by microsoft. Patches should be considered for immediate testing and release within an environment. These suggestions follow the established smb security best practices.
Ransomware is on track to be a $200 million crime in 2017, according to jcf data. That’s a substantial increase from 2015, when ransomware was a “mere” $50 million crime. Additionally, ransomware emerged as the fastest-growing malware across all industries in 2016.
There are immediate steps your organization can take today to protect against wannacry and other ransomware variants:
- Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it’s working.
- Secure your offline backups. Backups are essential: if you’re infected, a backup may be the only way to recover your data. Ensure backups are not connected permanently to the computers and networks they are backing up.
- Configure firewalls to block access to known malicious ip addresses.
- Logically separate networks. This will help prevent the spread of malware. If every user and server is on the same network newer variants can spread.
- Patch operating systems, software, and firmware on devices. Consider using a centralized patch-management system.
- Implement an awareness and training program. End users are targets, so everyone in your organization needs to be aware of the threat of ransomware and how it’s delivered.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
- Enable strong spam filters to prevent phishing emails from reaching end users and authenticate inbound email using technologies such as sender policy framework (spf), domain message authentication reporting and conformance (dmarc), and domainkeys identified mail (dkim) to prevent spoofing.
- Block ads. Ransomware is often distributed through malicious ads served when visiting certain sites. Blocking ads or preventing users from accessing certain sites can reduce that risk.
- Use the principle of “least privilege” to manage accounts: no users should be assigned administrative access unless absolutely needed. If a user only needs to read specific files, the user should not have write access to them.
- Leverage next-generation antivirus (ngav) technology to inspect files and identify malicious behavior to block malware and non-malware attacks that exploit memory and scripting languages like powershell.
- Use application whitelisting, which only allows systems to execute programs known and permitted by security policy.
- Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units.
- Conduct an annual penetration test and vulnerability assessment.
Stopping ransomware requires a defense-in-depth approach; there is no silver bullet to security. Software alone is not the answer. It and secops teams must build a strategy that combines user training, next-generation endpoint security, and backup operations.
Every strategy should start with the simplest, most immediate risk-mitigation techniques available in order to limit the attack surface. Concurrently, user training and backup infrastructures should be evaluated, implemented, and practiced.
And please, patch, patch, patch!