Insights

WannaCry Delivers a Wake-up Call

WannaCry Delivers a Wake-up Call

May 17, 2017

A global ransomware attack called WannaCry was launched on May 12 to exploit a known vulnerability in Windows SMB and Remote Desktop Protocol (RDP). This malware targeted networks in health care and critical infrastructure throughout at least 99 countries, with the bulk of infections reported in Russia, Taiwan, and Spain. Infected users’ computers were encrypted, and the users were instructed to pay a ransom for the decryption key. 

Despite this widespread event, the reality is that ransomware itself is nothing new. According to the FBI, over 4,000 ransomware attacks have happened daily since January 1, 2016. However, because of the numbers affected in this recent event, the size of the attack, and the velocity of its spread, WannaCry has caught attention of the media and consequently of business executives.

At this point, it appears WannaCry has been contained, but variants or other versions of ransomware will happen again. This makes it a good time for companies to review their ransomware preparedness in order to prevent or respond to future attacks.

Infected by ransomware? Take these steps.

Just like a cold or flu, computer viruses like to spread the infection to others. Isolation and containment is the key to limiting the damage. If a computer on your network is infected, the following respond and recover steps should be taken:

Respond

  • Isolate the infected device immediately to contain the virus from spreading.

  • Isolate or power off devices that have not been completely corrupted.

  • Secure backup systems by taking them offline to preserve the integrity of your data backups.

  • Collect and secure partial portions of data that may exist.

  • Change all online account and network passwords.

  • Delete registry values and files to stop from loading.

  • Report the incident to your local FBI field office or to the Secret Service.

Recover

  • Hopefully, any impacted computers have clean backups so data can be restored. Recover data from a restore point prior to the infection.

  • If data has not been successfully backed up to a recent restore point, or if the backup also was corrupted by ransomware because restore points were not set up properly, companies will need to give careful consideration to whether or not to pay the ransom. Paying the ransom is not advised because there are no guarantees that your data will be restored, and paying the ransom encourages this extortion business model. But if there are no alternatives, companies should consult with their stakeholders and business advisors, including legal counsel, computer forensics advisor, and insurance provider, to understand the options and risks.

Need to prevent ransomware? Take these steps.

The old adage that an ounce of prevention is worth a pound of cure is entirely relevant in this situation. The infection and spread of WannaCry and many other variants could have been prevented. Below are steps that can help prevent a future incident:

Patch and update. Microsoft had issued a “critical” patch on March 14, 2017, to remove the underlying vulnerability exploited by WannaCry. This exploit demonstrates the importance of having a vulnerability management process in place to keep systems and software up to date with proper protections.

Replace unsupported operating systems. Unsupported operating systems like Microsoft XP, 8, and Windows Server 2003 were particularly vulnerable because updates were not available. Microsoft has subsequently issued a patch for these older systems, but for many, the damage has been done.   

Train employees. This, like many other computer viruses, required someone to click on an email attachment. Employees need a healthy dose of education and paranoia to make sure they think before they click. Emails coming from unknown senders or attachments that are not expected (even from known senders) should be verified before opening. Employees should also know what to do immediately to isolate and contain the spread if they believe they have been infected. This includes disconnecting from the network and notifying the IT help desk or incident response team.

Use antivirus/anti-malware. Set antivirus and anti-malware programs to update automatically with the latest updates and patches, and conduct regular scans of computers on the network. 

 

Back up data regularly and test recovery/restore. Data must be backed up with methods that meet business requirements. For certain types of data this could be performed daily, while for others it may be hourly. Most importantly, the backups must be tested periodically to validate effectiveness.

 

Secure backups. Backups should not be permanently connected to the computers and networks they are backing up so ransomware cannot lock out backup systems (including cloud based) when continuously backed up. 

 

Filter spam. Companies should enable strong filters to prevent phishing emails from reaching targets and to authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.

Limit administrator access. Manage the use of privileged accounts based on the principle of least privilege; no users should be assigned administrative access unless absolutely needed, and those with a need for administrator accounts should use them only when necessary. This will prevent software programs, including malware, from being downloaded by users without admin access.

Disable macro scripts from office files transmitted via email. Consider using Office Viewer software instead of full office suite applications to open Microsoft Office files transmitted via email.

 

Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations such as temporary folders supporting popular Internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.

 

Consider disabling Remote Desktop Protocol (RDP) if it is not being used. RDP is the target of many ransomware attacks, including WannaCry.

 

Review cybersecurity insurance policies. Cybersecurity insurance has become big business as of late, but the coverage seems to vary greatly among providers. Review your insurance coverage to see what damages resulting from ransomware are covered by the policy. For example, does it cover the ransomware payment, downtime cost, breach notification expenses, etc.?

Review and test your incident response plan. Many incident response plans have not been updated to include today’s more relevant incidents. Take time to update your plans to address ransomware and prepare your teams through tabletop “mock drills.” It is also a good time to make sure your plans include advance arrangements with service providers that your organization may need to deal with while addressing an incident. This includes legal counsel, computer forensics, public relations, IT support, law enforcement, and—heaven forbid!—an exchange to purchase Bitcoin to pay a ransom!

If you need assistance, please contact Jeff Olejnik or your Wipfli relationship executive.