Few will have missed the large-scale ransomware attack on 12 May 2017, which particularly affected the NHS but disrupted operations at more than 100,000 organisations in 150 countries. Unfortunately, if we haven’t yet fully comprehended the existing threat from ransomware, we now do.
The WannaCryptor ransomware, or ‘WannaCry’ is a highly virulent worm - and once a user is infected, it will spread rapidly across the internal network. How WannaCry works. The malware exploits a Microsoft Windows vulnerability in the Microsoft Server Message Block (SMB) v1.0 protocol, compromising hosts and encrypting files before demanding a ransom payment in the form of Bitcoin. Once infected, the ransomware spreads laterally across the network by exploiting the SMB file sharing protocol on TCP ports 139 and 445. The payload can also scan external IP ranges and further spread the infection. 
Microsoft released a critical security patch, MS17-010, for this vulnerability in March 2017. Given the severity and virulent nature of the malware, Microsoft has since released emergency patches for older (unsupported) operating systems like Windows XP. https://www.microsoft.com/en-us/download/details.aspx?id=55247 Actions to protect against WannaCry
- Apply Microsoft Windows security update MS17-010
- Block connection to ports 139 and 445 on your firewall
- Block legacy protocols like SMBv1 on your local network, or firewall off SMB locally to vulnerable systems that can’t be patched.
Variants of WannaCry are already spreading. Initial variants were configured with a killswitch domain. We already see newer versions without this killswitch domain and multi-layer security measures. Multiple security measures are required to protect your organisation from ever-changing and relentless cyber threats. Your cohesive multi-layered approach, including antivirus, content filtering, and sandboxing, is needed to secure entry and exit points to the company network.
Reduce Vulnerabilities
- Update software patches regularly and often. Patching known vulnerabilities is the single best way to protect your networks against malware attacks, worms and ransomware.
- Patch management solutions can assist with this task over large networks, and endpoint device management solutions will help identify vulnerable machines or mobile devices.
- Regular vulnerability assessments (penetration tests) will quickly expose known vulnerabilities.
Educate Staff
- Your security is only as reliable as its weakest link. Security-aware employees can be one of the most effective deterrents to malicious threats. However, many users do not understand the best practices regarding computer security.
Data Backup and Disaster Recovery
-
- It is always important to have resilient data backup processes in place. Backups are protected when backed up offline from the production environments, since ransomware viruses can also corrupt backup copies. Snapshots and replication can be vulnerable to time-delayed ransomware attacks.
Life After WannaCry
As we have seen, organisations face sizable challenges going forward. Unfortunately, the threat of significant business disruption is very real. A wider assessment of the organisation’s cyber security systems, processes, and policies will frame your readiness and provide a roadmap to improve security posture and avoid potentially damaging attacks from new and evolving threats. A long-term vision is required to protect an organisation’s continued prosperity. New threats will emerge, and an effective security framework is needed to keep pace with criminal hacking activities.