Wan­nacrypt Ran­somware: An ac­tion plan to im­prove your cy­ber re­silience de­fences

Kuwait Times - - TECHNOLOGY - By Steven Malone, Di­rec­tor of Se­cu­rity Prod­uct Man­age­ment at Mime­cast

The global reach and con­sid­er­able im­pact of the Wan­naCrypt (Wan­naCry/Wcry) ran­somware is a wake-up call for or­ga­ni­za­tions and gov­ern­ments around the world. This on-go­ing cy­ber threat will con­tinue to adapt to take ad­van­tage of weak­nesses in IT sys­tems and pro­ce­dures. New vari­ants of this mal­ware may cause even more dam­age if you do not act im­me­di­ately. At Mime­cast our first pri­or­ity is to help pro­tect our cus­tomers against the lat­est threats. Our ser­vices help pro­tect email which has tra­di­tion­ally been the pri­mary at­tack route for ran­somware.

Early sam­ples have re­vealed that the ran­somware is spread over lo­cal net­works and the in­ter­net by abus­ing Server Mes­sage Block (SMB) pro­to­col weak­nesses. Al­though no Wcry ‘smok­ing gun’ in­fec­tion emails have yet been found, it is highly likely that fu­ture vari­ants will use email. This short guide is de­signed to help all or­ga­ni­za­tions com­plete a review of network se­cu­rity, backup and busi­ness con­ti­nu­ity sys­tems and pro­cesses. We are also pro­vid­ing ad­di­tional in­sights into how to make easy and quick con­fig­u­ra­tion changes to en­sure your Tar­geted Threat Pro­tec­tion so­lu­tion is op­ti­mized. As many of you al­ready know, a com­pre­hen­sive “de­fense in depth” strat­egy is the best ap­proach to mit­i­ga­tion of cur­rent and fu­ture vari­ants of Wcry and other ran­somware.

Ev­ery or­ga­ni­za­tion must en­sure its IT sys­tems are reg­u­larly up­dated. Mi­crosoft se­cu­rity up­dates are re­leased on the sec­ond Tues­day of each month (Patch Tues­day). Mi­crosoft re­leased a se­cu­rity up­date back in March which ad­dresses the vul­ner­a­bil­ity that Wcry is ex­ploit­ing. For those or­ga­ni­za­tions who have not yet ap­plied the se­cu­rity up­date, you should im­me­di­ately de­ploy Mi­crosoft Se­cu­rity Bulletin MS17-010. If you are us­ing a legacy, now un­sup­ported ver­sion of Win­dows, you should con­sider up­grad­ing im­me­di­ately. How­ever, if this is im­pos­si­ble in the short term, Mi­crosoft has taken the un­usual mea­sure of re­leas­ing a se­cu­rity patch that can buy you time to up­grade. Mi­crosoft has pro­vided its own de­tailed guid­ance to de­fend against Wcry here.

Good se­cu­rity prac­tice dic­tates re­mov­ing or dis­abling un­nec­es­sary ser­vices to re­duce the po­ten­tial at­tack sur­face. Wan­naCry has spread quickly by abus­ing vul­ner­a­bil­i­ties in Server Mes­sage Block network pro­to­col. Un­less you have a very good rea­son not to, dis­able the SMBv1 pro­to­col on your network, while also en­sur­ing SMB can­not be di­rectly ac­cessed from the in­ter­net. Dis­able or block other legacy pro­to­cols on your network that you are not us­ing.

For cus­tomers of Mime­cast Tar­geted Threat Pro­tec­tion, we ad­vise a num­ber of ac­tiv­i­ties:

URL Pro­tect - con­fig­ure a pol­icy in line with our best prac­tice guide in Mime­caster Cen­tral. En­sure a pol­icy is ap­plied to all users. Rewrit­ing all URLs to scan for un­safe con­tent at time-ofclick is the best ap­proach to pre­vent­ing in­bound URL-based phish­ing.

At­tach­ment Pro­tect - con­fig­ure the “Safe Files” op­tion for all users to en­sure in­bound Mi­crosoft Of­fice files are con­verted to a safe and be­nign for­mat. For users who re­quire ed­itable doc­u­ments, en­sure At­tach­ment Pro­tect’s sand­box­ing is con­fig­ured. Re­fer to the best prac­tice guide in Mime­caster Cen­tral for de­tails.

In­ter­nal Email Pro­tect - this ser­vice pro­vides pro­tec­tion for URLs and at­tach­ments in both out­bound email and also mails sent in­ter­nally. En­sure poli­cies are ap­plied to all users and en­sure re­me­di­a­tion ca­pa­bil­i­ties are en­abled. Re­fer to our best prac­tice guide for con­fig­u­ra­tion rec­om­men­da­tions.

Mime­cast cus­tomers us­ing Mime­cast’s se­cure email gate­way, we ad­vise us­ing the most up to date at­tach­ment man­age­ment def­i­ni­tion as there are re­ports of ex­e­cutable files mas­querad­ing as Ex­cel files with an ad­min­is­tra­tor hold on dan­ger­ous files types. This in con­junc­tion with the Sus­pected Mal­ware pol­icy with the abil­ity to hold Of­fice files con­tain­ing macros pro­vides another layer of de­tec­tion, but does not pro­vide the anal­y­sis pro­vided by At­tach­ment Pro­tect. Mime­cast’s ARMed SMTP (Ad­vanced Rep­u­ta­tion Man­age­ment) com­bines mal­ware, rep­u­ta­tion and anti-spam checks to re­ject un­wanted email.

Since a very high per­cent­age of ran­somware is spread by email at­tach­ments, we urge or­ga­ni­za­tions to con­sider us­ing sand­box­ing and/or safe file con­ver­sion ser­vices. DNS au­then­ti­ca­tion ca­pa­bil­i­ties such as DKIM and SPF can help stop at­tack­ers from spoof­ing or hi­jack­ing the email do­mains of trusted senders, thus ef­fec­tively tak­ing away one method at­tack­ers use to fool their in­tended vic­tims. DMARC, the com­bi­na­tion of th­ese two ser­vices adds an ex­tra layer of de­fense. To learn more about Mime­cast’s DMARC im­ple­men­ta­tion and DNS Au­then­ti­ca­tion poli­cies please check out this doc­u­ment in Mime­caster Cen­tral com­mu­nity.

Data back­ups and busi­ness con­ti­nu­ity

Pre­ven­tive mea­sures alone can’t keep up with the fast-evolv­ing na­ture of ran­somware at­tacks and as this at­tack high­lights, there are many ways for an in­fec­tion to en­ter an or­ga­ni­za­tion. It’s vi­tal you reg­u­larly backup crit­i­cal data and en­sure that ran­somware can­not spread to backup files. Ran­somware can take time to en­crypt large vol­umes of files, par­tic­u­larly across a network share. It is im­per­a­tive to en­sure your back-up win­dow is long enough to go back be­fore any in­fec­tion be­gins. Backup and re­cov­ery mea­sures only work af­ter an at­tack, and cost or­ga­ni­za­tions in down­time and IT re­sources deal­ing with the at­tack and af­ter­math. Or­ga­ni­za­tions must be able to con­tinue to op­er­ate dur­ing the in­fec­tion pe­riod and re­cover quickly once the in­fec­tion has been re­moved.

Should firms ever pay a ran­som?

We ad­vise or­ga­ni­za­tions never to suc­cumb to the pres­sure to pay the ran­som to re­gain ac­cess to their ap­pli­ca­tions and data. There is no guar­an­tee this will un­lock files and fur­ther mo­ti­vates and fi­nances at­tack­ers to ex­pand their ran­somware cam­paigns. This no­ti­fi­ca­tion pro­vides ex­ter­nal links as a con­ve­nience to our users. This does not con­sti­tute en­dorse­ment by Mime­cast of any linked web­sites, or the in­for­ma­tion, prod­ucts or ser­vices con­tained therein. Mime­cast does not ex­er­cise any editorial con­trol over the in­for­ma­tion you may find at th­ese web­sites. Mime­cast does not take re­spon­si­bil­ity for pages main­tained by ex­ter­nal providers.

Steven Malone

Newspapers in English

Newspapers from Kuwait

© PressReader. All rights reserved.