While the first wave of the WannaCryptor attack has passed, a lassiez-faire approach to cybersecurity will no longer suffice.
[Editor’s note: this article is the third in a three-part series on WannaCryptor by Nick FitzGerald.]
The attack, which began spreading in the morning of May 12th, 2017 in Europe, was stopped later the same day by an individual going by the name MalwareTech, who the media dubbed an “accidental hero”. He noticed, by blackbox testing the malware, that it tried to access a URL at a non-existent domain, so he registered that domain and pointed it to a server his employer uses for “black-holing” malware URLs. With the URL suddenly live, this WannaCryptor variant promptly stopped encrypting files on, and spreading from, newly-compromised PCs, but kept trying to spread from already compromised and encrypted machines that had not been shut down.
Despite the current era of new and more malicious enterprise cyber security threats, many businesses are failing to get a grip on effective prevention tactics. Every new threat brings with it a new challenge, repelling external assaults on IP and protecting commercial data seems to become more challenging. No organisation is immune to cyberattacks and if your company does not remain vigilant, it could result in both loss of revenue and customer trust. Following a comprehensive security regime to secure and manage your data is therefore critical.
Use comprehensive endpoint security software
For most machines, basic antivirus software has not been sufficient for some time now. Adding extra, cooperating layers of security, as provided in modern “internet security” suites, provides more comprehensive protection. As exploiting the EternalBlue vulnerability is still the only distribution vector reliably identified for WannaCryptor, even unpatched Windows machines would have been protected from its spread if they had a good endpoint security solution installed that had network-level exploit blocking capabilities.
In a business setting, just because a machine is “only a file server”, and it has a firewall, does not mean it does not need anti-malware software: it does. Always install a reputable anti-malware program.
Backup data
You will have undoubtedly heard this over and over, however, planning well in advance by backing up your systems at regular intervals is crucial. Keep at least one such backup on offline storage at all times to protect your most recent work from an attack.Make sure you always back up data, and regularly check that your backup systems are working properly by making sure you can reliably restore data from them. This will not prevent any kind of malware attack, whether it is ransomware or not, but it is necessary for business continuity, as following a natural disaster, fire or theft, backups will likely be the only place from which you will be able to restore important IP, operational and financial data.
Ensure your digital devices are up to date
Patches and system software updates can be difficult to deploy across an entire network. However, you’ll definitely want to install this one. The MS17-010 patch has been available since mid-April and stops the exploit WannaCryptor used from gaining a foothold in your environment. Very large, complex business environments can have legitimate reasons for not updating all of their systems automatically, as and when patches become available. However, even in these environments, most general use systems should be having updates applied as they become available, and WannaCryptor has been a reminder to some system admins as to why.
Small businesses should double-check that automatic updates are enabled. Those depending on managed service providers should check what system update policies are applied to their systems and carefully consider their applicability.
This advice applies equally to non-Windows devices too. Apple’s systems, most smart phones, tablets, and some other “smart” devices, have automatic update functionality which should either be enabled, or managed through corporate network management systems.
Disable “remote access” tools, check firewall settings
Although not used in the WannaCryptor attacks, there are an increasing number of cases where Windows Remote Desktop Protocol (RDP) and popular third-party remote access tools such as TeamViewer and VNC have been used to compromise business networks and then run ransomware on them.
Scanning a network for the conventional ports these tools use and then brute-forcing their passwords is apparently paying-off well for some cybercriminals, as the accounts they gain access to are often highly privileged, allowing access to sensitive internal file or database servers. Such access must be strictly controlled and limited to those who really need it. Moreover, wherever possible, access to such services should only be granted via VPN, removing the necessity of advertising their availability for attack by not opening their ports on your network firewalls.
WannaCryptor was apparently only spread via exploitation of the EternalBlue vulnerability. Some sites were compromised by it because they were not blocking Microsoft networking ports on their external firewalls. It would be polite to label such a configuration a “newbie mistake”. Organisations, particularly those affected by WannaCryptor, should consider having a competent third-party audit remote access to their company network.
Just because the specific malware that caused the WannaCryptor mayhem has stopped spreading does not mean that we can let our guards down. Chances are the author of some other ransomware, who witnessed the unprecedented success of WannaCryptor, could take the EternalBlue code and repurpose it to their own ends. Further, a future zero-day Windows networking vulnerability is always a possibility, and could be used to a similar effect. Fortunately, to protect your business against ransomware threats, there are a number of steps you can take, and the sooner you do, the better.
About the author
Nick FitzGerald has an extensive research background in computer malware, technical and editorial writing in the malware and e-crime field, and an in-depth knowledge of anti-malware product testing. He is well-known in the anti-malware industry as a former editor and head product tester for Virus Bulletin. As a web threats researcher, he has worked in the industry from the very earliest days of malware’s move to the web and its associated shift from “electronic graffiti” to its primarily criminal activity today. Nick is currently a Senior Research Fellow, with a particular focus on APAC, at digital protection company, ESET.