One of the more alarming malware campaigns we’ve seen has been conducted in the past few days, causing widespread damage to hospitals, telecoms, and national infrastructure around the world.
That malware is called WannaCry. It can come in your network’s front door much like most malware does in 2017: a successful phishing attack against one of your employees. Once introduced to a Windows environment, it will attempt to spread from machine to machine, like the worms of old. As it infects a target, it will encrypt the files on the machine, destroy its local backups, and like other ransomware, demand a payment in Bitcoin to unlock the files.
The malware is more devastating than other ransomware families of the past not just because of its self-replicating nature, but that it spreads using a recent Windows vulnerability present by default in all supported versions of Windows workstation and server releases, from Windows Vista to Windows 10 and Windows Server 2016. Many organizations may have not patched this vulnerability yet and as such could see not just a single machine infected, but their entire Windows population.
Our partner Cisco has a comprehensive writeup
on the behavior of the malware and steps you can take to protect yourself. We want to highlight some lessons we’ve already learned from this incident:
- Patch management is still an incredibly important, foundational security practice. The patch that protects against the spread of this malware in a LAN has been available for two months (if you don’t have it, download it here). An effective patch management program would have deployed this patch within 30 days of its release.
- The malware communicates with its operator(s) using Tor, an anonymizing application that is often used to access illicit sites or hide malicious activity. Your organization should be blocking Tor traffic from leaving the LAN through its internet connection as a defensive practice.
- Phishing is still the attacker’s best chance at getting past your internet-facing defenses. End user training using slide decks, posters, and videos isn’t enough anymore. Enforcing good behavior through phishing simulation and immediate training is the best way to change your employees’ bad habits.
CBTS can assist with phishing simulation, security and network architecture reviews, security controls and defenses, patch management, and yes, cleanup of ransomware infections! Contact us today if you’re concerned or fighting WannaCry in your own environment.