On May 12th, 2017, a widespread global ransomware attack began traveling through vulnerabilities in the Windows operating system. It has struck over 150 countries and a broad range of industries. More than 45,000 attacks have been recorded so far, ranging from UK National Health Service to FedEx.
It has yet to be discovered who is behind the attack. However, a twenty-two-year-old cyber security researcher registered a domain name hidden in the malware which has currently stopped the spread of the attack. This has given organizations in the US more time to develop immunity to the attack. The attack is likely not over. Cyber criminals often change the code and start again. Microsoft released a patch (a software update that fixes the problem) for this window operating flaw in March 2017, but pirated programs and computers that have not installed the security update continue to remain vulnerable.
Since, it’s random, scattered and broad it’s hard to know where it may hit next. It’s important that all organizations are patching their Microsoft operating systems before they are infected.
After a security weakness, or a malicious link clicked from your email, the ransomware installs itself, and encrypts some or all of the files on your computer with a secret key, so you can no longer open them.
In order for you to un-encrypt your files so you can use them again, you must pay an amount of money to the attacker. This is usually paid in bitcoin. Once you have paid, the attacker gives you a key with which to unencrypt your files. Keys are typically specific to your computer, so a different key must be used on each system that has been infected with ransomware.
If you’ve been hit by WannaCry Ransomware, you’ll see the following on your screen: “Oops, your files have been encrypted!”
1.) Ransomware is a real threat, much like credit card theft, electronic banking hacks, and electronic espionage.
2.) If you haven’t already, patch or disable Microsoft immediately. More information can be found here.
Your organization can protect itself by following the golden mantra of update, educate, and separate:
You may not always care about minor bug fixes or features but you should always keep major apps, programs and operating systems like Windows, browsers and PDF readers up to date. Setup automatic updates and/or calendar reminders.
49% of data breaches are caused by malicious or criminal attacks, and 19% are related to employee negligence (Source: Cost of Data Breach Study by the Ponemon Institute.)
A lot of ransomware is simply emailed to people, and requires them to click on a link in order for the computer to be infected. This is commonly called “phishing”. Once the user knows how to recognize links and attachments, and be distrustful of them, the changes of ransomware taking hold of your environment quickly diminishes.
Gain support from your senior leadership by knowing the business risks and consequences to the company in regards to data breach. Ensure your employees are not using pirated software and that all software is up to date. Educate and train your employees on how to handle confidential information and email safely. Commit to security best practices as an organization.
A strong firewall on the perimeter is worthless once the attacker and his/her ransomware are in the door, and has free reign inside. So build a network of levies, so security breaches don’t spill over from one segment to the next.
When your daily defenses are in decent shape, hunt for compromises daily. It is important to realize you are fighting a human attacker, who is smart about the defenses that you could have in place.
Collect flow data from all routers and switches in your network, and let a behavior anomaly detector do its work. Collect logs from all servers, access points, and workstations. Hunt for obvious malicious activity, investigate each anomaly, and watch for movement of large amounts of data on your network.
There is no such thing as a 100% secure network, but by just doing the legwork you are a long way on your way to keeping ransomware off your network.
Gain visibility on your network around the clock and set up alerts. Learn more about FlowTraq Cyber Threat Hunting.