The media has been awash with the infection of high profile networks (including hospitals, utility companies and government organisations across the globe) by a new piece of malware called WannaCry.
Click for the WannaCry Logo
Despite what the media say, I hesitate to call these ‘attacks’ simply because that implies something targeted and this piece of malware uses a scatter-gun approach to infect machines via ‘phishing’ emails and then spreads itself through computer networks like a ‘worm’, using a vulnerability found in Microsoft operating systems earlier in the year.
RansomWare is not exactly new – being the fastest growing cyber threat for the past few years – but this approach is new in that once downloaded, it spreads itself using a variety of methods, first looking for an existing backdoor called DoublePulsar left by previous malware and if not found, it takes advantage of what is widely believe to be an NSA exploit tool called EternalBlue (leaked to the Internet) to take advantage of a flaw in Windows (see MS17-010) that Microsoft provided a fix for in March 2017 but many companies have not applied.
How to Stay Safe
Plug the Holes
Install all available security updates from Microsoft as a first step – the key exploit that enabled WannaCry to spread so effectively has already been fixed in an update by Microsoft but if its not installed, its not much good!
Deploy Protection
Anti-Ransomware Endpoint software appears to be effective against this new threat, again highlighting the importance of a good business class security solution.
Don’t Open the Door
Unfortunately behaviours are still the root cause of most infections so ask all your users to be especially vigilant, not download anything unknown or unsolicited and question unexpected emails even from known senders.
Backup Offsite
One of the simplest mitigations I’ve seen to the threat of ransomware is a comprehensive, automated offsite backup – allowing you to simple clean the infection, purge the files and restore from backup.
Disable SMB V1.0
Wherever possible, disable SMB V1.0 as with this blocked, WannaCry can only compromise a remote system via a pre-existing backdoor (e.g. DoublePulsar) which is far less likely.
Turn off That Old Kit!
If you’ve got old machines running somewhere that are no longer supported by Microsoft (such as Windows XP, Server 2003, etc.) and you can possible live without them, turn them off or disconnect them from the network!
Thanks for the advices! In addition to Winupdate: Check if KB4019264 update is visible in Installed Update section of ControlPanel. KB4019264 contains KB4015549 which contains KB4012215 security sum for March 2017. The last one is the best released securty update againts WannaCry.
Hi Steve,
Many thanks for the additional information – much appreciated!