A new ransomware virus has struck more than 200,000 computers in 150 countries. The virus is known as WannaCry, and it takes advantage of a vulnerability in the Server Message Block (SMB). Once inside the system, it spreads throughout the network corrupting hosts, encrypting data, and locking down the environment. With business data held hostage, companies are forced to pay $300 in bitcoins for the encryption key to unscramble their data. Should the company delay, the ransom can double or the virus may just delete all encrypted files.
The investigation into WannaCry is still ongoing, and the threat is still very real. We’ve included a breakdown of how the virus operates and what an organization can do to protect their network below.
How WannaCry Enters and Spreads in the System
WannaCry leverages DOUBLEPULSAR, a software used to create a persistent backdoor into environments. By entering the network through the SMB vulnerability, WannaCry will then install DOUBLEPULSAR and use this backdoor to sneak in additional software, namely malware. With the payload delivered, WannaCry can proceed throughout the network encrypting key data.
Preventing a WannaCry Attack
To protect your environment from the WannaCry virus, immediately follow these steps:
- Update all windows-based systems to the latest patch and ensure Microsoft bulletin MS17-010 is applied.
- Block inbound traffic to any publically accessible SMB.
- You should strongly consider blocking connections to TOR nodes and TOR traffic. This will prevent files from inside your network reaching out to TOR nodes to download malware.
Furthermore, your organization should follow these security best practices:
- Only use actively supported operating systems that receive regular security updates.
- Establish an efficient patch management process that can download and implement new security updates quickly.
- Use anti-malware software in your network and receive malware signature updates.
- Deploy a reliable data backup solution that regularly saves backups of your environment.
Other Methods of Stopping the Attack
There are several security applications that can identify WannaCry and prevent it from taking root in your environment. It is important to note, however, that because WannaCry is taking advantage of a specific vulnerability, simply having the solutions below will not guarantee protection from the virus.
- Advanced Malware Protection (AMP)
- A Next-Generation Firewall
- Cisco Umbrella
- AMP Threat Grid
The Importance of Data Backup
When a ransomware virus strikes your network, there are very few options available to you. In most instances, you can either pay the ransom or use the data, but a reliable and organized backup system can enable you to circumvent this process. With backups in hand, a network administrator can wipe encrypted files and restore the system to the last backup. For many environments, it is the only sure response to a ransomware attack.
Mindsight offers a wide array of data backup solutions to safeguard your environment. Whether disk, cloud, or a hybrid of both, we can ensure your environment always has a recent backup on hand should a ransomware attack or other disaster strike.