By now, almost everyone has heard about the global ransomware campaign launched on Friday, May 12, known as “WannaCry.” Like other ransomware campaigns, this malware targeted tens of thousands of companies and governmental organizations, encrypting files on infected computers and asking computer administrators to pay a ransom to regain access.
I’d like to cover three important elements in this post:
- How this malware was able to infect so many systems
- Immediate actions you should take to protect your systems against a second wave of attacks
- Long-term actions you should take to protect yourself against future malware of this sort
Anatomy of the WannaCry malware
Similar to a biological virus, preventing the spread of the malware requires an understanding of how it attacks the system.
This particular ransomware exploited a vulnerability that allows remote code execution via the Microsoft Server Message Block (SMBv1) server. Microsoft had already fixed this vulnerability for supported version of Windows, so the majority of machines affected appear to be those that had not applied the patch or were using Windows XP, an older, unsupported version of Windows. Since the attack, Microsoft has taken the unusual and commendable step of reissuing these patches as well as developing a patch for Windows XP.
Note to TierPoint clients: TierPoint is working with our managed service customers to help ensure they have the patch applied and – where they have not – we are either applying it manually or scheduling times to apply it. Clients who opted out of the TierPoint patch management process should review their environments and apply the necessary patches immediately to minimize exposure.
Immediate actions to take
Despite the breadth of this attack, most companies and organizations remain unaffected. However, since the perpetrators of this cyberattack have not yet been caught, experts warn that there could be a second wave coming. To protect your systems, here are some immediate actions to take:
1/ Install all Microsoft security patches.
For those of you who rely on employees to update their own systems, this would be a good time to verify compliance. This malware (or any other malware for that matter) can sneak into your network as soon as one of these infected systems connects. Once there, it can spread to other unprotected systems and devices.
2/ Backup critical data to an unconnected device.
This ensures that even if your systems are unresponsive, you will have data to reload once the problem is addressed. However, it’s important that you disconnect your backups from the network to prevent spread of the malware to your backup systems.
3/ Deploy antimalware and malware signatures associated with this threat.
These can be found on the Department of Homeland Security website here. TierPoint is available to help our clients if needed.
4/ Refresh your counter-phishing policies and training.
The current speculation is that the malware was introduced via phishing emails. If there is a second wave, it will most likely take the same route. Make sure all employees are trained to recognize suspicious emails, know how to (not) respond to them, and have a method for reporting them to your security administrators.
5/ Create a ransomware response plan.
If you are hit with a ransomware attack and are unprepared, there are a number of immediate decisions you will need to make including whether or not to pay the ransom (most experts say no), how to interact with law enforcement, and what information to release to the public. We highly recommend working with a law firm experienced in creating such plans to ensure all your bases are covered.
The long-term response
Many of these immediate actions will also help protect your systems long-term against a second wave of WannaCry attacks or future cyberattacks from other sources. The key is to turn your immediate response into a way of doing business.
1/ Patch all systems as soon as possible.
Over the years, many IT administrators and employees have put off applying patches for as long as possible. In some ways, that’s understandable. In the early days, you never knew what a patch would “break” and how soon a new fix would become available. To their credit, vendors like Microsoft have gotten much better at managing their development and release protocols and providing background information on why the patch is being released. If you don’t have the bandwidth to focus on patch management, TierPoint offers a Managed Operating System and Application service that may be able to help.
2/ Have an updated backup and disaster recovery plan.
While the immediate response is to back up your data, the long-term response should be to have a plan that addresses all of your business needs, not just the immediate threat. Here are a couple of related posts that can help:
3/ Review your system vulnerabilities regularly.
If you own a micro-business with one or two employees, you might be able to get away with buying an off-the-shelf malware and malware protection application. But as your business and your systems grow, your exposure will be greater to the new threats that are constantly being introduced. Even seemingly innocuous devices such as a network-connected printer can allow malware to enter your systems if left unsecured. The Department of Homeland Security recommends running vulnerability assessments at least once a year. If cybersecurity isn’t a core competency of your IT team, our advisors can help.
4/ Conduct regular employee cybersecurity training.
With the constantly changing threat landscape, employee training is not a once-and-done task. Phishing is one of the most common vectors for a cyberattack, making your workforce is one of your weakest links. It’s not that most of them are ignorant of the threat, but they have other things on their minds. Keeping them up to date can help them stay alert. We recommend re-training every six months with special sessions to address immediate threats as needed.
5/ Have a ransomware response plan.
As always, the best time to plan is before something happens. Developing an effective long-term ransomware response plan requires coordination across three core competencies: cybersecurity, disaster recovery, and legal. Given the prevalence of ransomware, this should be part of your Disaster Recovery and Business Continuity Plan, but make sure you include adequate representation from these other competencies in your planning sessions. It can also help to have your plan reviewed by outside experts for potential holes.
Hopefully this has helped you identify the steps you need to take to protect your systems and your organization. Of course, we’ve just skimmed the surface of this complex and ever-changing topic. If you have specific questions, feel free to reach out to us or add them in the comment box below.
Paul Mazzucco, Chief Security Officer, is responsible for all TierPoint corporate security standards regarding physical, information and network security. He leads the charge in acquiring and maintaining all industry-specific compliance certifications, including PCI DSS, FISMA and the FedRAMP/NIST Cloud Security standards. Paul joined TierPoint through its 2014 acquisition of Xand, where he served in a similar role.