Member Article

WannaCry Cyber Attack & Staying Secure

The largest global ransomware attack happened on Friday 12th May. This worm known was WannaCry, Wcry, WannaCryptor 2.0 affecting businesses worldwide including the NHS and Nissan.

Details on the attack:

WannaCry uses the SMB vulnerability (EternalBlue) to gain access to unpatched systems from Windows XP to Windows 10 (Microsoft only supporting Windows 7 upwards). Once it compromises a system, it can then take control of any other unpatched devices within the local network. Once compromised it encrypts files and demands $300 to decrypt them.

The vulnerability itself was discovered by the NSA, but their tool ‘EternalBlue’ which used this to gain access to systems was leaked, and subsequently patched by Microsoft in March.

Should you pay up?

No.

The bitcoin accounts used in this attack show that there has been around £35,000 deposited, however there is not a single report that paying the attackers result in released files. Analysis of the worm’s code indicates that there may be no decryption functionality compared to other ransomware.

So paying them will probably not work.

How can you protect against WannaCry?

Kaspersky believes systems at risk are around 200,000, which of these, they estimate that 46,000 devices have been compromised. This leaves around 150,000 devices available to attack. It was discovered that the malware contained a kill switch. If a URL exists then not to encrypt files (this domain was: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com). Which has since been registered and has stopped the spread of the original worm. However new strains of the worm and other worms using that method of attack will make their way onto the internet.

To protect against the worm, make sure you have port 445 along with 137 and 138 (TCP and UDP) blocked for any device accessing the internet or any local network if that network has a machine on it which has been compromised.

If a local machine is affected, isolate it.

You must patch the SMB vulnerability on every machine within your network and any machine accessing your network, you can do this here: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

How do you stay secure from the next attack?

Cyber attacks are increasing and and it is even more important to establish a business culture of security awareness.

We recommend the following:

• Apply patches as soon as they are available.
• Make sure any unsupported operating systems are removed from your organsiation, not connected to any network, or replaced with supported operating systems. (Get rid of XP!)
• Keep anti-virus up to date, daily.
• Engage in regular penetration testing and vulnerability scanning using a qualified 3rd party supplier of these services.
• Conduct a build review of your user workstations and laptops using a 3rd party supplier is particularly important, for correct setup of patch management and configuration settings are much harder to exploit from phishing techniques.
• Add malware scanning to your email chain.
• Review all firewalls and consider connected local protected networks, rather than one whole available LAN. Check routes and improve egress filtering.
• Keep regular backups which off-site and not connected to your network. Make sure this process is verified, tested and fully working. Preferably using physical media which isn’t used for anything else.
• Train your staff. Ransomware is often initiated by an email attachment and as this is on the increase. Engage in simulated phishing attacks which will keep your staff on their toes.

If you’re affected by this attack or want help email us at Talk@NorthIT.co.uk.

This was posted in Bdaily's Members' News section by North IT .