May 12th 2017 saw the monstrous ever cyber-attack in Internet historical events (yes, bigger than the Dyn DDoS). A ransomware named WannaCry charge through the web, with the damage epicenter being in Europe.
How the ransomware spread
WannaCry leveraged a vulnerability in Windows OS, determine by the NSA, and then publicly disclosed to the world by the Shadow Brokers.
In the first few hours, 0.2 millions machines were attacked. Biggest organizations such as Renault, Dacia, FedEx, Nissan, Cambrian College, and Petro China were bang and crush by the attackers. Thousands of ATMs and ticketing machines were also targeted and encrypted.
The ransomware encrypts the infected user’s files like photos and videos to documents and databases. After the user gets infected red ransomware note is then displayed, demanding approximately $300-$600 via Bitcoin payment in order to decrypt the user’s files.
Ransomware has been a rising trend for the past two years, and this is just a climax, a grand release to the whole world of just how big of a threat it is. But we’ve been writing about this for a while now.
Five Best Practices to Alleviate Risk
Though WannaCry is in the highlight today, ransomware will extend to spread, and more advanced methods will find their way into attackers’ Dictionary. So, how can an organization protect their systems against WannaCry and other types of ransomware that will definitely evolve in the future? Here are five best practices to follow to reduce risk:
Follow the Least Privilege Principle
Regular configuration of access controls of file, directory and network sharing permissions with the least privilege principle in mind. Most users do not need administrative privileges to do their required task on their corporate endpoint devices, so user access should remain at the minimal point that will allow regular functioning. With the help of a non-privileged user access will not make you immune to WannaCry ransomware, it can stop the malware from doing some certain malicious tasks, such as deleting copies of the infected system’s files.
Apply Application Control
By controlling which executables have access to your files can also help in defensive efforts. For example, if you put the word document executable in a white list as write access to your documentation files, then if a ransomware’s executable tries to encrypt and overwrite the files, it will be denied (as it is not on the “approved” whitelist). It’s important to also establish policies based on trusts that will protect these “trusted” or whitelisted applications.
Disable SMB v1 and Apply Patches
To protect against the specific WannaCry strain, immediately disable and stop the services of the outdated Microsoft SMB protocol, or simply apply the new patch MS17-010 that Microsoft released a few months ago.
Block Internet Access
The Microsoft SMB protocol helps your network, so that your network should not be open to SMB packets from the internet. Implementing port filtering to block all versions of SMB at the network boundary.
Always Backup
Whenever you’re attacked by a ransomware, or your hard drive of your system suddenly dies unexpectedly, backing up your important and privileged data is an essential, table-stakes best practice. But remember that with the help of backups you are not enough to protect against data loss from ransomware attacks, especially if organizations are reveling privileged credentials to attackers.
As we advised in the wake of the initial attacks, organizations should immediately implement a combination of least privilege and application control policies on endpoints and servers throughout their organizations to reduce risk. This can help prevent ransomware from encrypting files and deleting the snapshots. This is an important layer in defending against future ransomware attacks.