UPDATE 16-May-2017: Dr. Chenxi Wang, analyst and strategic advisor to ITSPmagazine, captures the latest details of the WannaCry (WanaCry / WCry) ransomware outbreak. In her latest chronicle, Chenxi covers the following items:
- Initial infection vector
- What the kill switch is
- The MS-17-010 vulnerability/patch
- Why it's so prolific
- How much ransom has been paid
- What you can learn from this event
UPDATE 15-May-2017: In a conversation with Eward Driehuis, Chief Research Officer at SecureLink, our take-away is that it's almost like the cybercriminals didn’t know how widespread this thing would go. Evidently, they are not making nearly the amount of money (Bitcoins) that they "should" be making given the number of infections they have (according to Driehuis, it's over 250,000 infections in over 150 countries as of this morning). Connected to this, it appears that nobody is paying the ransom and those that do pay are not necessarily getting their files back anyway.
We had a very interesting conversation with Eward - we hope you enjoy it!
A massive cyberattack seems to have caught the global corporate arena asleep at the wheel. What do some of the experts have to say about it? Read on to find out.
According to Phil Richards, CISO, Ivanti, this NHS attack is a very different type of ransomware.
While some suggest that the original entry vector for the WanaDecrypt0r ransomware was most likely a phishing attack, new information points to a direct scan of port 445, looking for systems to exploit.
Stan Stahl from Los Angeles based Citadel Information Group, Inc. shared the follow recap:
- Users whose computers become infected with the WannaCry ransomware malware can no longer use their files as the malware encrypts files on desktops and across corporate networks.
- WannaCry is based on malware developed by the NSA that was among the massive trove of information that was stolen and leaked on the Internet.
- WannaCry exploits a known vulnerability in Microsoft Windows operating systems.
- Once one computer in a system is infected, the malware spreads to other machines on the same network.
- Microsoft released a critical patch in March 2017 to help counteract this vulnerability. Additional information and thesecurity update are available here: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
The payload, as of 4:23 CET, Monday, May 15th): WanaCrypt0r 2.0, has already been detected by Avast 213,000 times in 112 countries.
"When you have a huge variety of old machines and equipment, you're vulnerable to these kinds of attacks," says Stuart Okin, Vice President at security software vendor 1E. "Organizations still running old versions of Windows need to figure out migration strategies ASAP."
According to Rick Hanson, EVP of Skyport Systems and a 30-year security veteran believes, “The reality that the NSA tools, which were leaked earlier this year were used in this attack, means there is much more to come. We as an industry must share intelligence and start taking real action to segment our networks into trusted and un-trusted segments. Focus your security efforts on building secure enclaves around those applications and data that you care about most. Network based security for the lowest common denominator is no longer a solution."
Zenedge CEO, Yuri Frayman, shared this same sentiment with ITSPmagazine's Sean Martin during an interview on this topic. In response to Martin's question regarding the value of Information Security Analysis Organizations (ISAOs) and Information Security Analysis Centers (ISACs), Frayman emphatically replied, "We need more of that. We need more of that. Every industry that has a supply chain needs them." Martin agreed, adding that there is value for both the industry-specific exchanges such as the FS-ISAC, NH-ISAC (sorry, secure site connect not available at the time of this writing), and HITRUST CTX, as well as cross-industry exchanges to provide a more holistic view.
During the interview, Frayman describes how the attack spreads from within the NHS to all of its business partners and third-party vendors, essentially compromising the entire healthcare ecosystem.
Hanson shared a very poignant message, "This is a wake-up call to other agencies that these threats are not only real, but entirely possible. We rely on compliancy alone to give ourselves the feeling of being safe. This is a real world example where a defense in depth strategy needs to be employed."
Tips from the Experts
During his conversation with ITSPmagazine, Eward provided the following tips:
- Patch all systems that need to have the Server Messenger Block (SMB) v1 protocol enabled, even your Windows XP
- Reboot the machine after you patch the machine
- Disable the SMB v1 protocol if you don't need it
- Apply some SNORT rules for your intrusion detection systems (IDS)
- If infected, find the infected machine and isolate it, remediate, and then patch before connecting it back to the network
- Don't throw away your encrypted files... you might find a solution for decryption down the road
Richards from Ivanti offers the following methods to combat this particular ransomware:
- Run Antivirus software on all endpoints and make sure the virus definitions are up to date. If your virus definitions are 1 week out of date, it would not recognize this particular ransomware.
- Run Application Control to restrict administrative privileges. This malware would not be as successful if it did not have access to admin privileges.
- The persistence capabilities of this ransomware are pretty strong. Infected systems need to be powered down and rebuilt. They need to identify all backups and get them off the network quickly, so the backups don¹t get encrypted.
Frayman from Zenedge offers the following advice for the executive staff and board of directors:
- You have to be proactive - you can not be complacent
- You have to listen to your CISO, you hire them to do their job; give them the tools and resources to enable them to do it.
Stahl from Citadel Information Group provided these useful tips for businesses and general computer users:
For IT Departments
- Immediately patch corporate computers
- Thoroughly test back-ups to ensure availability in the event of infection.
For Computer Users
- Always keep your personal computers timely updated with updates for both operating systems (Windows, Apple iOS, etc.) and applications (MS Office, Adobe Acrobat, etc.).
- Make sure you have up-to-date backups. Backups should be stored 'out-of-band,' meaning that they are on a different network from regular files. And don't use 'auto-sync' or you can end up replacing your good backups with encrypted ones.
- Exercise caution when receiving emails that contain links or attachments. Don’t click on links or open attachments in unexpected emails. As Ben Franklin said: Distrust and caution are the parents of security.
Learn More About Phishing Attacks in this ITSP TV Exclusive Webinar
BONUS: The panelists have agreed to touch on the WannaCry subject as well as part of this webinar.