Ransomware: What to take away from WannaCryWednesday, May 24, 2017
WannaCry was discovered attacking systems in the early morning hours of May 12th. It infected more than 200,000 systems in over 100 countries in less than 24 hours. But by the afternoon of the next day, the global ransomware bug had been squashed.
As the most recent, newsworthy attack of its kind affecting healthcare operations, WannaCry had the ability to infect innocent systems via Microsoft Windows file-sharing protocols, and it did so by using a Microsoft flaw that should have been fixed last March when the update was released.
Initial infections came via two paths: 1) malicious attachments within phishing messages and 2) brute force attacks on Internet-exposed Microsoft Terminal Servers. The windows vulnerability being exploited did not require network credentials, file permissions, or advertised shares for the virus to be able to attack and ultimately ransom a remote system. What's worse, updated versions of WannaCry are out there now and, once inside, fully capable of worming through an organization's network. Compound that with the concern that a large number of Microsoft systems within the healthcare industry remain unpatched.
Even though few U.S.-based healthcare organizations fell victim to the cyberheist compared to other countries, we need to make sure we continue to largely avoid being infected and ultimately ransomed. This is a threat that organizations need to keep a close eye on.
Here's what to do going forward:
- Apply the Microsoft patch MS17-010: https://technet.microsoft.com/library/security/MS17-010, on all Microsoft hosts. Patches were even released for Windows XP and Server 2003, which are no longer supported.
- Block SMB & Netbios ports (137-139, & 445) from entering your network from the Internet.
- Do not expose Microsoft Terminal Servers to the Internet; place them behind a remote access gateway or VPN service. If they must be exposed to the Internet, configure very aggressive lockouts, monitoring and alerting so that you will know when they are being attacked.
- Place restrictive access controls on your existing file shares so that users must have a business need to know to be able to access. Modify access should be even further restricted. This wouldn’t have helped with WannaCry, but is a general best practice against ransomware threats.
- Ensure that anti-malware software is installed, updated daily, and running on all windows computers. Conduct proactive scans at least weekly on all windows hosts, including all your Windows Servers.
- Back up critical data regularly and store on media that is not exposed to your production network.
- Remind employees to be cautious when working with email and to not open attachments they are not expecting from senders they do not trust.
If you need assistance in discovering which one of your systems is still unpatched or vulnerable to future MS17-010 exploits, don’t hesitate to reach out to Brian McCammon to build a project and get a PHA Security Advisor dispatched immediately.
Writer: George Bailey, 765-494-7538, firstname.lastname@example.org