So you’ve no doubt heard about WannaCry (or wCry or WanaCrypt), running rampant and infecting significant public organisations across the globe (Kaspersky Lab have seen evidence of 74+ Countries infected during the initial 24 hours, with other reports estimating some 200,000+ machines now impacted across 140+ countries).
So how does it work?
WannaCry comprises two components an Exploit and an Encryptor.
WannaCry takes advantage of the “EternalBlue” Windows Exploit. This was patched by Microsoft in a March 14, 2017 release MS17-010.
Certain security vendors picked up increased scanning activity around this exploit prior to the attacks late last week. AlienVault noted a sharp increase in scans across their network possibly related to the attacks.
If your systems are up to date then the vulnerability no longer exists, meaning your systems are resilient to an external attack, but read on, as there is a sting in the tail with this one.
The second component of the attack is an encryptor. Unfortunately, the patched vulnerability will NOT stop the encryptor component. If it is inadvertently launched within your organisation it will be up to other components within your security infrastructure to detect and respond.
What should you do?
Although Australia and Asia Pacific haven’t received the headlines that those in Europe have, the region needs to remain vigilant (perhaps call it luck that most of us had finished up work for the week when the attack was commenced).
As you would be aware securing your environment is not all about the end point anymore! It’s about a layered security approach and cohesive incident response. Let us breakdown a few of these points below.
As always be vigilant as to what emails you and your team are opening. If you don’t know the sender or the email looks unsolicited for what-ever reason, delete it! Clicking on an infected link within an email or downloading an infected attachment is easy to do for the unwary reader! Fortunately, there are many Email Security Gateway solutions that can be placed in front of your email servers to block these email attack vectors. These solutions are quite cost effective and simple to deploy. If you haven’t already deployed such a solution, it may be worthwhile starting a conversation with us today.
Each endpoint protection platform provides differing levels of protection and applications to protect against zero day virus outbreaks.
If you have deployed Kaspersky Lab’s solutions, their Systems Watcher component (and Anti-Cryptor on Servers) provides significant levels of protection against zero day viruses and other ransomware (such as WannaCry) on protected machines. So be sure that System Watcher is running on your system.
If you want to ensure that you are not infected, we would also recommend that you run a Critical Areas scan on your environment. More information can be found from the Kaspersky Lab team on this link https://blog.kaspersky.com/wannacry-ransomware/16518/
And it goes without saying, where your end point protection solution is signature based ensure that the definitions are up to date.
System vulnerabilities remain the single largest risk to organisations and this is certainly an area where the attack vector can be significantly reduced. Base lining and identifying vulnerabilities is crucial to any organisation. Overlaying this information with an asset’s risk enables organisations to prioritise responses and address the largest threats.
Ensuring Windows updates are turned on or managed through a third party system (such as SCCM or WSUS) is essential (Patching Operating Systems and Patching Applications both remains a key ASD Top 4 protection strategy).
From a third party application stand point there are many solutions available to manage third party application patching. (Kaspersky Lab’s systems management functionality provides one such solution).
The human factor!
Unfortunately as with most situations how we as humans make a decision around emails is critical in protecting an organsation. Secure-ISS through a number of our security partners provides Cyber Security Awareness training to educate your team. If you would like to discover how we can prepare and train your organisation when it comes to Cyber Security please get in touch with us.
Finally and we are unable to stress this point or measure enough, ensure that your organisation has backups. Backups that are stored on solutions not connected to your machine (so that the applicable virus or ransomware can delete them). Not only is have a structured backup regime important, but testing it is more so. When was the last time you checked your backup data integrity? How long did it take to restore your systems to get your business up and running?
Detecting and preventing activity is one thing, how your organisation responds to a breach or malicious event is another.
As always, if you would like to discuss any facet of your Cyber Security strategy from risk analysis, protection or remediation please don’t hesitate to get in touch with one of our team.