Hackers always attack low hanging fruit, the known vulnerabilities in the software that fuels your organization. The recent WannaCry ransomware attacks are no exception. They fully exploit a known vulnerability in Windows to execute on affected computers without administrative privileges and also to move laterally in the network infecting other machines.
Normally, ransomware attacks originate through a simple phishing or spear-phishing attack when the malicious software gains a foothold on a user machine. If the user has administrative privileges, the malware could easily infect all other computers. So how do you prevent ransomware attacks like WannaCry from becoming an enterprise-wide pandemic? As you’ll find below, the right techniques and tools can stop ransomware in its tracks. (And further below, you’ll find a brief recap on WannaCry.)
The right techniques
Every organization has its own, unique set of circumstances to consider when it comes to securing its IT and data. That said, there are security best practices that are universally appropriate, including:
- Concentrate on basic security measures: Many organizations deploy expensive security solutions, but fail to concentrate on basic security measures like keeping software versions updated, maintaining internal access controls, and turning on/off certain security settings. By following a sound vulnerability scanning and patch management process, you can significantly reduce the attack surface.
- Educate users: Social engineering often proves to be highly fruitful for hackers to perpetrate attacks. Even tech-savvy users are falling prey to such attacks. Fight back by educating your users to refrain from clicking links or opening attachments in malicious emails and exercise caution when downloading media files.
- Enforce least privilege: Ransomware and other malware usually require elevated privileges to execute and propagate inside the network. Eliminate that vulnerability by granting least privileges or just-in-time privileges to users who don’t need elevated privileges.
- Set application controls on endpoints: Executing malicious applications, software programs, or scripts results in the insertion and propagation of malware. Restrict the execution of unfamiliar or untrusted applications on endpoints to prevent ransomware attacks.
- Protect privileged accounts, control and monitor privileged access: Hackers target administrative passwords after gaining hold of a machine for lateral movement across the network. Protect privileged accounts with vaulting solutions and enforce best practices like strong, unique passwords with periodic rotation to stop ransomware in its tracks.
The right tools: endpoint management
Endpoint management software such as Desktop Central helps you to protect your computers from WannaCrypt and other ransomware and malware attacks. After detecting the computers that are vulnerable, Desktop Central lets you identify the computers that are missing critical patches and then deploy those patches immediately.
In addition, you can use Desktop Central to block the vulnerable firewall ports and prevent ransomware from spreading across your network. To combat WannaCry, specifically, we have added support for all the related Windows OS patches. Read more to find out how you can leverage Desktop Central to protect your enterprise from WannaCry and other malware threats.
The right tools: SIEM
A comprehensive log management solution for security information and event management (SIEM) like EventLog Analyzer helps you identify and fix security vulnerabilities that threaten your network. EventLog Analyzer audits log data from your vulnerability scanners and gives you a single, unified view of all your network’s vulnerability points, including services, ports, and devices – including computers running out-of-date versions of Windows, which are WannaCry’s attack targets.
With its in-depth security log auditing and alerting, EventLog Analyzer detects and informs you that ransomware such as WannaCry is being installed on your systems. Further, you can audit registry key changes, installed services, and created processes to detect key events that occur during a ransomware attack. You can then remediate the attack by running a script once an alert is triggered to kill any processes created by the ransomware.
The right tools: file server auditing
A file auditing solution like FileAudit Plus gives you a real-time alerting console that helps instantly detect ransomware attacks on your file systems. Basically, ransomware makes several modifications to your files in a short period of time, including renaming files and altering file extensions. To detect the changes with FileAudit Plus, use an appropriate threshold limit to configure an alert profile. If your threshold limit is “10 files modified in less than a minute,” for example, FileAudit Plus will alert in real time if that limit is exceeded.
With WannaCry, specifically, files are encrypted into a .wncry format. You can easily add this new file format to your alert profile to receive real-time alerts when any of your files get changed to .wncry. Additionally, FileAudit Plus provides you with alert profiles for file encryption from other known ransomware file formats.
The recap: WannaCry
Here’s what you need to know about the recent, prolific ransomware attack, WannaCry:
How does ransomware work? Ransomware is a specific kind of malware that is used for data kidnapping and lock screen attacks. Once ransomware infects your system, it encrypts all your data after getting activated by a central server. Once the file encryption is complete, it will ask for a sum of money as ransom to unlock the encrypted data. Usually, a timer is attached with the message to ramp up the pressure. If the timer runs out, you will permanently be locked out and lose all your files forever.
As the name suggests, ransomware holds your system’s data hostage for a ransom amount. This threat is usually spread through infected software applications, email attachments, and by visiting compromised websites.
What about WannaCry (aka WannaCrypt WCry, and WanaCrypt0r 2.0)? WannaCry is ransomware that has recently gained attention after an attack that started last Friday (May 12). It has caused tremors throughout the world, with Europe being the epicenter. The attackers behind WannaCry have been targeting computers running on Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7, Windows 8, and Windows 8.1.
After infecting your computer, WannaCry encrypts your files and demands payment in bitcoin in order for you to regain access. However, security experts warn that there is no guarantee that you’ll get your files decrypted even after payment.
WannaCry’s trick is that it does not stop there. It has dual functionality—it’s part malware, part worm. Once it gets into your computer, it searches for other computers within your network and tries to spread to them. It achieves this with the help of the TCP and UDP ports. This can prove to be a nightmare for enterprises if WannaCry seeps its way into a computer on the corporate network.
WannaCry exploits a vulnerability in the Windows operating system, termed EternalBlue, which is believed to have been developed by the National Security Agency. This vulnerability was leaked by a hacker group calling themselves the Shadow Brokers. WannaCry has already spread across Europe and Asia, and has impacted more than 150 countries and has disrupted roughly 45 hospitals in the UK alone.
Will WannaCry affect my phone? Fortunately, smartphones are not affected by this threat. However, it is always best practice to protect your enterprise’s endpoints—whether they’re PCs or mobile devices. (Learn how to protect your enterprise’s mobile devices from other threats.)
Is there a cure? While there is no permanent fix to this problem yet, the saying that “an ounce of prevention is worth a pound of cure” holds true here. In addition to regularly backing up your data, either on an external disk or on cloud storage, we recommend you adopt the tools and techniques that will secure your network. Otherwise, you and your end users and customers may be left in tears.
Introduction & The right techniques: V. Balasubramanian
The right tools: endpoint management: Nikhil Nayak
The right tools: SIEM & file server auditing: Siddharth Sharathkumar
The recap: WannaCry: Nikhil Nayak