WannaCry and others. Ransomware is here to stay, what can you do today?

Short intro 

I saw that coming a while ago.

The unprecedented WannaCry ransomware attack that just hit about 150 countries over the world (and coming, as it's not been completely stopped yet) is no surprise to me at all.


I wrote this stuff a year ago but nothing has changed since then, so, once again, I've been a good prophet.

This is sad and, at the same time, exciting to me. 

I'm graduating in Network Security and UNIX/Linux Database Administration in two days and that's perfect timing with what's going on around the world right now.

I'm excited to give my humble contribution to win this fight.

I'd previously envisioned that cyber-criminals would target hospitals and so it was. In the UK, several hospitals were hit harshly and had to shutdown.

These threats will grow exponentially and my professional opinion is that, quoting an old rock tune, we ain't seen nothing yet.

This post aims at supplying my readers with actionable tips they can use right now to protect their systems.

I'm going through a free malware analysis class and I intend to perform a detailed technical analysis of WannaCry and similar ransomware variants with coming posts, so stick around.


Roots of the problem

1) Windows vulnerabilities + sloppy security implementations: The way Windows is structured makes it more vulnerable than other operating systems to specific vulnerabilities. What makes this specific ransomware kinda unprecedented is that attackers used leaked NSA tools designed to exploit a specific Windows vulnerability with the SMB protocol (CVE-2017-0143), related to filesharing, enabled by default in several Windows network configurations.

In layman's terms, leaving unused services like this open is like leaving your front door unlocked and then being shocked if a thief broke in.  So, if you don't need to use a specific service or port, make sure to shut it down. Microsoft tries to make Windows as easier to use as possible but that doesn't necessarily go along with security. The vulnerability that was exploited by WannaCry is only one of many examples.

The situation gets yet worse when, due to multiple reasons, companies and individual users have a sloppy security posture. This vulnerability had been patched by Microsoft in March but most users, especially corporate users, had not updated their systems yet.

Traditionally, companies apply updates slower because they normally do that after imaging their systems. This is another reason for considering switching to a different operating system. The fact Windows is the most popular operating system and its many vulnerabilities and problems make it an easy target for cyber criminals. Other operating systems such as Linux, though having their vulnerabilities as well, are much less likely to be attacked this way. That doesn't mean a UNIX/Linux operating system cannot get hacked, but it can't be done the same way as in Windows and there are fewer malware variants available. In other words, attackers go where the big money is and most desktop computers in the world run Windows.

2) Availability of malware: You can find malware samples, if you know where to go. Some criminal organizations sell cheap ransomware-as- a-service platforms, working the same way cloud services do. With this sort of tools, you don't necessarily need to be a programmer for you to wreak havoc. These guys have the software already bundled and packaged for you and, as a matter of fact, someone said WannaCry was the worst coded malware ever seen.

What you can do to protect yourself today
  1. Update your system immediately, as Microsoft has released a patch.
  2. Don't trust anything or anyone. If you get an email from an unknown source, even though it looks legit, don't click on the links embedded in it at anytime and, if you just need to open them up, do it within a virtual machine.
  3. Avoid using Windows as long as possible. That doesn't guarantee you cannot get infected, but it's more unlikely.
  4. Perform frequent backups and keep them stored off-line on an external hard drive.
  5. If you receive any suspicious email attachments (regardless of their file extension. It doesn't always need, or appear, to be an .exe file), delete them right away.    
  6. If one or more clients get compromised, disconnect them immediately from the network.
  7. If your company uses cloud storage, disconnect infected clients to prevent them from syncing to the cloud.
  8. If you haven't performed a backup already (really??), do it now.
  9. Be ready to re-image the infected machine(s), if that's the case.
  10. Re-connect infected machines to the network only after making sure they're running a clean and trusted configuration.
  11. Be aware these guys are going for quick and dirty money and, if you're not an easy target, they might switch to an easier prey, and that's what you need to hope for.
Wrap-up

Human factor is critical in Information Security and, sadly, a careless click can destroy an organization's network within a fraction of a second.

A formal and effective backup strategy is absolutely paramount to mitigate this threat.

This latest attack has dramatically shown how important this concept is.

Will organizations learn this lesson?

We'll stand and see.

I'm not personally very optimistic, though.

Comments

Related Posts Plugin for WordPress, Blogger...

Popular Posts

Contact Form

Name

Email *

Message *