Ransomware attacks are nothing new and have been a common form of malicious activity as of late. The question is how can you protect value for your organization? How do you identify, manage and mitigate risk to safeguard your organization and move forward confidently?
The latest ransomware cyber attack, which is known as ‘WannaCry’ and ‘WannaCrypt0r’ among other names, has infected tens to hundreds of thousands of home-user and enterprise computers across various industries and numerous countries. This malware, like that of other ransomware attacks, infects the system resulting in the encryption of data and files to make them inaccessible until a ransom is paid to decrypt and unlock the information.
Ransomware attacks have several common traits:
'WannaCry:’ Common malware characteristics and a unique feature
- They are developed to take advantage of a weakness in an operating system or application.
- They are spread via phishing techniques.
- They require communication back to a host for payment.
- Payment is typically made via Bitcoins.
For this specific malware event, the initial infection point of the ransomware is unknown. However, the EternalBlue exploit is being used to rapidly spread the ransomware payload to systems running vulnerable versions of the Microsoft Windows operating system (from Windows XP to Windows Server 2012). The ransomware payload is spread through the Server Message Block (SMB) protocol, which is a common protocol enabled on most Windows systems that is used to share files across a network and provides printing capabilities. Due to the wide use of the SMB protocol, the ransomware is able to spread more easily and quickly. Also, ‘WannaCry’ malware can act independently and does not require an end-user to take any action, such as opening an email, clicking a link, or running a program. The infection is invisible to the end-user until the ransomware message is displayed on the screen. Because it uses a common file sharing protocol and has the ability to self-execute and replicate, ‘WannaCry’ is more dangerous than other malware.
Imperative steps to take to protect yourself from 'WannaCry'
What safeguards should users and organizations consider in order to protect themselves from 'WannaCry'? There are several immediate steps that should be taken to minimize the likelihood of impact by 'WannaCry':
Additional proactive, protective measures against future ransomware attacks
- Make sure your Microsoft Windows systems are all up-to-date with the latest patches.
- Remind all employees to be on the lookout for suspicious emails and other forms of phishing.
- Consider blocking the SMB protocol to prevent the spread of the infection.
- Make sure the backups of your data and applications are not infected.
To have a comprehensive cyber security strategy, you should also implement the additional safeguards introduced below:
- Perform wargaming exercise - Plan exercises that simulate going through the process of experiencing an attack and through the subsequent events for recovery. Since there is no such thing as 100% security, it is important to understand the steps needed to recover from an attack in the shortest time possible. Tabletop exercises and wargaming will assist with simulating real time attacks and will test your organization’s response capabilities before they are needed for an actual event.
- Implement an ongoing security awareness campaign – Provide training to employees, contractors, and 3rd parties. Cover areas such as acceptable use, password complexity, phishing campaigns, use of encryption, and social media. Require annual training for all employees to re-introduce them to the topics of cyber security and to familiarize them with any changes implemented during the year. In addition, it is a good idea to send a monthly or quarterly email, highlighting a single topic or current event related to employee cyber security responsibility.
- Secure your perimeter network – Only expose systems and services to public networks, including the Internet, based on business need. One of the ways that the ransomware payload is spreading is through the SMB protocol. This protocol is typically used on internal networks and it is not necessary to expose this protocol to the Internet. If you currently have this protocol publicly exposed, re-evaluate the need for its exposure and consider disabling its use. Exposing only necessary and secure services to the Internet reduces your network’s overall attack surface.
- Enforce network segmentation – Consider implementing internal network segmentation to restrict and control access between critical and non-critical systems. Network segmentation controls can assist with slowing the spread of a malicious infection (such as ransomware) and allow incident responders to more effectively contain and eradicate the incident.
- Develop a process/procedure for addressing threats – Encourage internally that your cyber security team be aware of current security threats in order to evaluate a possible impact on your environment. Is there a threat on the Internet which could affect a system within your information technology environment? Do you have a way to quickly assess whether a threat should be acted upon or ignored, if you don’t run that application or operating system? Developing a process/procedure for addressing threats either manually or via an automated method can allow your cyber security team to be proactive in addressing potential issues.
- Establish a vulnerability management program – Vulnerability management programs enable organizations to identify potential security vulnerabilities, such as open ports or insecure configurations within your IT environment. Vulnerability testing/scanning should occur on a routine/scheduled basis and report on the exposure of your organization to internal and external sources. Having this information allows your cyber team to assess, investigate, and take action on any unknown vulnerabilities within your environment.
- Apply security patches in a timely manner - Ensuring that vendor security patches are applied in a timely manner can help safeguard against malicious attacks using known vulnerabilities. Microsoft released a security patch (MS17-010) in March for “supported” Windows operating system versions in response to the EternalBlue exploit that can be installed to protect systems. The security patch was also more recently made available for outdated and unsupported versions of Windows, including Windows XP and Server 2003. Enterprise Patch Management solutions allow organizations to manage and automate the patch management process. With these, you can receive notifications when new patches are available for operating systems and applications deployed within your environment; you can schedule deployment and track its progress.
- Implement effective data recovery capabilities – Ensure that an effective data backup and recovery process is in place. Sometimes the only way to recover data encrypted by a ransomware attack is to restore the last known good backup. Without adequate backups, data and information may be unrecoverable.
- Have in place a fully tested response strategy – You need to be prepared to adequately identify a potential breach, then quickly coordinate resources and invoke the necessary processes to contain and mitigate effects of the breach. A great incident response program includes the following components:
- Clearly defined roles and responsibilities within your team. Have all stakeholders been identified and trained on their responsibilities in the event of a cyber incident or breach?
- Technology. What information security detection, alerting and mitigating technology solutions are in use?
- Reporting. Has the organization identified all of its obligations related to reporting an incident? Legal? Regulatory? Contractual? To shareholders?
- Communication strategy. Who should be informed of the incident? By what mechanism should this occur? When should the organization communicate and to what degree?
- Attorney-client privilege. Have protocols been established to ensure that the organization’s privilege protections are in place and carefully managed? Has the organization determined whether in-house or outside counsel will direct any investigative steps?
- Law enforcement. Have parameters been defined where law enforcement involvement may be required? If so, does the organization know whom to contact (which agency) and how?
- Cyber insurance. Is cyber insurance in place? What is covered by the insurance policy in case of a cyber breach? At what point must notice be given to the underwriters and a claim be invoked?
- Post breach. Does the organization have plans and strategies in place to recover from a breach and to minimize the potential damages?
Ransomware attacks are a global reality that is going to become an everyday possibility for all enterprises. In our most recent survey of over 1,000 business leaders in the U.S., we discovered that leaders in all industries are aware of the expansion of cyber threats and getting ready for this reality in a proactive and collaborative fashion. Your organization can join their ranks by developing, implementing, training on, and testing all the pieces of an incident or breach response plan, which will allow you to be prepared for a quick, efficient response when events like ‘WannaCry’ occur.
Principal and National Managing Partner
+1 703 847 7580
+1 248 415 6024