DontCry over WannaCrypt
If you’re reading this article it’s not because you’ve randomly stumbled across the hashtags “WannaCry”, “WCry”, “WannaCrypt”, “Ransomware” etc. It’s because you’re already aware of it. Now, what can we add to the hundreds of articles on the recent breach via ransomware and the NSA vulnerability/exploit MS17-010? To sum it up, these are following mediums discussing WannaCry:
- Blog posts
- Newspaper columns
- TV reports
- Fail image shares across social media
- Text messages
- WhatsApp messages
And, all of the above were discussing, but not limited to:
- The NHS! or as Ali G once called it “The Nuhus… Oh, the NHS.”
- Buy our product! It would have stopped this
- Buy our service! It would have stopped this
- I’m a salesman, but I will not hassle you today (thanks bro for being human)
- I’m a salesman, I will ambulance chase cos you know, meh
- Uninstall Windows, Install Linux
- Mac OS fans hehe’ing
- How much money have attackers behind WannaCry actually made? Let’s find out, as of 17/05/2017: over $77,000 via: https://twitter.com/actual_ransom (unverified)
- It’s the Russians!
- It’s not the Russians
- Links to Korea
- No links to Korea
- ‘Expert’ analysis of WannaCry
- Technical breakdown of WannaCry
- Exploiting MS17-010
- Patch all the things!
- Metasploit module for MS17-010
And the list goes on. Get the the picture? Got it. So, what am I here to do that hasn’t been discussed already? I thought I’d share a few friendly words of advice for our clients. If it were me and I was or am at risk of being impacted, this is what I would do:
- Keep calm
- Do not disconnect yourself from civilisation just yet. Not all is lost, read on.
If you are infected with Ransomware, don’t pay it now, contact your internal IT Security team ASAP. Do not delay this process, there are a number of ways to get out of this situation, Google is your friend. Also contact any of the reputable IT Security consultancies out there and they’ll be able to help. Clearly we’re here to to help too.
Patch everything! Of course be sure to patch legacy systems first, and if you’re still using XP, Microsoft released a patch for it, WHAT? You say? Yep they have – check it out:
- Microsoft – Customer Guidance for WannaCrypt attacks
Patches can be downloaded directly here:
- Microsoft – Update Catalog
We would strongly recommend upgrading to a conventionally supported Operating System such as Windows 7 or Windows 10 (note how we intentionally missed out 8.1; it’s poor).
Why is SMB even open to the Internet?
Close it. Now. Or restrict to internal ranges only. More information here:
Segregation is key
The extent to which ransomware and worms spread is unprecedented. Keep your networks segregated.
This is pretty self-explanatory and obvious. If you have fallen victim to ransomware and your files have been corrupted, non-recoverable or wiped, backups can be used to safely recover your files.
Ensure that you have an adequate antivirus solution in place on end user devices and servers and keep it up to date. An antivirus solution without the latest updates (definitions) will not be identify new threats so won’t keep your staff, customer data and organisation protected. Also ensure that you are using the latest version of the antivirus software itself; a vulnerability in the software could itself be exploited and taken advantage of.
Firewalls and other security preventative measures
Ensure that you have adequate firewalling in place on both the environment wide, i.e. dedicated firewall appliances, and on end user devices, that is Windows firewall is enabled and blocking unnecessary ports, so if you are not legitimately using SMB then it should be disabled at the firewall level.
There’s no evidence to suggest that this attack occurred as a result of phishing, but it’s not a bad idea to protect your organisation by training your staff. Check these out: PhishAware – Simulated Phishing, Social Engineering.
If you would like Perspective’s Risks support with your information security, you’ll be in good hands. Click here to contact us.