The media has been awash with the infection of high profile networks (including hospitals, utility companies and government organisations across the globe) by a new piece of malware called WannaCry.
Despite what the media say, I hesitate to call these ‘attacks’ simply because that implies something targeted and this piece of malware uses a scatter-gun approach to infect machines via ‘phishing’ emails and then spreads itself through computer networks like a ‘worm’, using a vulnerability found in Microsoft operating systems earlier in the year.
RansomWare is not exactly new – being the fastest growing cyber threat for the past few years – but this approach is new in that once downloaded, it spreads itself using a variety of methods, first looking for an existing backdoor called DoublePulsar left by previous malware and if not found, it takes advantage of what is widely believe to be an NSA exploit tool called EternalBlue (leaked to the Internet) to take advantage of a flaw in Windows (see MS17-010) that Microsoft provided a fix for in March 2017 but many companies have not applied.
How to Stay Safe
Plug the Holes
Install all available security updates from Microsoft as a first step – the key exploit that enabled WannaCry to spread so effectively has already been fixed in an update by Microsoft but if its not installed, its not much good!
Anti-Ransomware Endpoint software appears to be effective against this new threat, again highlighting the importance of a good business class security solution.
Don’t Open the Door
Unfortunately behaviours are still the root cause of most infections so ask all your users to be especially vigilant, not download anything unknown or unsolicited and question unexpected emails even from known senders.
One of the simplest mitigations I’ve seen to the threat of ransomware is a comprehensive, automated offsite backup – allowing you to simple clean the infection, purge the files and restore from backup.
Disable SMB V1.0
Wherever possible, disable SMB V1.0 as with this blocked, WannaCry can only compromise a remote system via a pre-existing backdoor (e.g. DoublePulsar) which is far less likely.
Turn off That Old Kit!
If you’ve got old machines running somewhere that are no longer supported by Microsoft (such as Windows XP, Server 2003, etc.) and you can possible live without them, turn them off or disconnect them from the network!