This is the largest massive ransomware outbreak globally we’ve seen to date. The malware is still spreading globally, and took down 16 hospitals in the UK, and severely impacted FedEx in the US. Thus far 45,000 computers have been reported infected globally, and the infection is still spreading rapidly. It’s a self-replicating worm and is capable of spreading to other computers inside an infected network. We’ve been writing about ransomware and warning customers for some time, and today, there was a massive global outbreak of a new type of ransomware called Wanna Decryptor or WannaCry. Act now to take preventative measures, and make sure you have good backups. If you think anti-virus will stop it, think again, only 30% of the products on the market will stop it. https://www.mirror.co.uk/tech/what-wanna-decryptor-look-ransomware-10410236
Two weeks ago there was a major Microsoft zero-day vulnerability announced, warning customers to quickly patch their systems. A group called the “shadow brokers” leaked NSA hacking tools. People were calling it the Microsoft server “apocalypse” because all windows servers were vulnerable. Since that time a series of patches have become available, but many organizations don’t install patches that quickly. https://fcw.com/articles/2017/04/14/shadow-brokers-swift-hack.aspx?m=1
Today, this same group unleashed a massive global ransomware attack, using the same methods and vulnerabilities published a few weeks ago. Woe to those who ignored the warnings, and didn’t patch and take adequate preventative measures, the warnings became reality today. The malicious actors are asking for $300 in this case, per PC, to decrypt the data. They purposely set the rate low, so people will pay the ransom. https://www.nbcnews.com/news/world/national-health-service-cyberattack-hits-english-hospitals-hackers-demand-bitcoin-n758516
We do not recommend paying the ransom. It is better to restore your systems from backup. Prevention is better than the cure, if you have good security and good backups, you shouldn’t have any problems. Once your PC is infected with ransomware, you have two choices, pay the ransom, or restore from backup. What else can you do to secure and protect your networks?
Preventative measures are the best, here’s a list…. 1. Educate Your Personnel
– Conduct security awareness training – this malware and many like it, started as an email link, and all it takes is one user to click the link and unleash the malware in your network. 2. Email Spam Filters
– Strong email spam filters can stop a lot of ransomware – unfortunately, bad guys are getting smarter, this latest attack is specifically written to evade spam filters 3. Implement URL / Content Filtering
– These solutions can stop a lot of ransomware attacks, as many of these attacks are launched by tricking a user to click on a link that takes them to a bad website, which infects the PC. 4. Patch All Systems
– Don’t overlook systems and network devices that aren’t part of the Microsoft Windows patching cycle. We often see organizations patch Windows systems effectively, but miss a lot of other devices. 5. Conduct Security Vulnerability Scanning Assessments Regularly
– This allows organizations to find holes in their security. Every organization should be doing this on a regular basis. Fix the holes, and repeat. We recommend at least quarterly. Scan the external public IPSs, but also scan everything inside the firewall on internal networks. We typically find a lot of missing patches when we scan clients, and we often find misconfigured devices that lead to major security vulnerabilities. We see this every day in our practice. 6. Install Nextgen Anti-virus
– nextgen endpoint solutions are no longer signature-based, which is ineffective. Instead, they can look for malicious behaviors and stop them dead in their tracks. 7. Install Nextgen Firewalls
– Solutions from companies like Cisco and Palo Alto offer next generation defenses as part of an overall security defense in depth strategy. 8. Limit Administrative Accounts,
Limit Access – Make sure all accounts are set for least privilege, which will limit the damage if you do get infected. Users should not have administrative rights, and even IT staff should not be using administrative accounts unless needed. Don’t use your IT administrative account for normal day to day work unless you’re actively performing system administrative tasks. 9. Disable Macro Tasks in Office Files
– Many malware infections piggyback inside of Office or PDF file email attachments, and kick off when the file is opened. 10. Disable RDP remote desktop protocol in your network if it’s not needed. 11. Use Application Whitelisting
– Only allow systems to execute programs that are known to be good. (Various technologies allow for this). 12. Classify, Segment, and Treat Data Accordingly
– Implement logical and physical security measures to separate data and networks by classification, and by business organizational units. We might lose a PC, server, or host, even a business unit, but we can limit the damage from spreading to the whole organization and limit the impact. 13. Implement 2-Factor Authentication
– usernames and passwords just aren’t that secure anymore, especially because users tend to implement weak passwords… “Passw0rd123” isn’t going to cut it anymore. It is understandable, how many of us can remember 100 different passwords between work, home, and all of the websites we visit? 2-factor authentication allows us to ask a user for something like a PIN# on top of a user ID and password, so that is a user ID is compromised or stolen, it still can’t be used. We can offer solutions that are both non-intrusive for the user, cost-effective, and can be installed pretty quickly. 14. Upgrade Legacy Hardware
– Old systems are just not that secure…if you’re still running Windows XP, it’s time to upgrade it and get if off your network. Old firewalls, old applications, old infrastructure, is just not as secure as modern technology. There is a big difference. There is a cost to doing this, but there is also a cost to getting ransomware. And isn’t it nice to have fast new computers and networks? What can you do if you’re infected with Ransomware or WannaCry?
If the worst happens and preventative measures didn’t work or weren’t in place, we recommend some of the following immediate corrective actions. 1. Isolate The Infected Computer Immediately
– Unplug it from your network. This will help to stop it from attacking the network or shared drives, and other computers. 2. Isolate or Power Off Devices That Have Not Yet Been Infected
– This may allow more time to clean and recover data, contain the damage, and prevent the situation from getting worse. 3. Immediately Secure Backup Data or Systems By Taking Them Offline
– Ensure your backups don’t have malware. The malware is nasty…it also tries to attack and encrypt your backup files. 4. Contact Law Enforcement
– You can contact the local office of the FBI or US Secret Service to report ransomware and request assistance. This is not as traumatic or eventful as it sounds, they are there to help you. 5. Contact Netrix Security Incident Response
– We have a team of security engineers and professionals, we’re here to help. 6. If possible, change all online account passwords and network/system passwords after removing the system from the network
. Yes, this is a big and painful step in some cases. And unfortunately, once the ransomware is removed from the system and eradicated, we recommend doing this again. Do you want to risk them coming back? If you have 2-factor authentication already in place, this step isn’t as important. 7. There are registry values and settings in Windows machines that can stop a lot of ransomware from running on Windows PCs.
Netrix has put together a complete set of solutions to help our clients combat Ransomware and advanced malware. If this whole list looks daunting, call us, we can help with our Ransomware protection security bundle. IT Security made easy.