How to Protect Your Organization from Ransomware Attacks16 May, 2017
Starting on Friday, May 12, 2017, a massive ransomware attack infected more than 230,000 computers in 150 countries. The attack utilized the WannaCry virus, a ransomware computer worm that targets the Microsoft Windows operating system. The virus is designed to encrypt a system’s data, effectively locking out the system’s owner. The virus then demands a ransom payment in exchange for the release of the information. As of the 15th, the Bitcoin ransom accounts have been paid over $26,000, indicating that some people are choosing to pay the ransom.
Most ransomware infects computers by way of phishing emails, and it appears this was how WannaCry likely started. Once installed, it uses the EternalBlue exploit and DoublePulsar backdoor developed by the U.S. National Security Agency (NSA) to spread laterally through local networks and remote hosts, encrypting all data files it can see.
We don’t yet know the full details of the infection vectors, but we do know it targets a known vulnerability in older Microsoft remote file sharing services. With over a million devices running this service (SMB on port 445) exposed to the internet, it’s pretty obvious why this attack has spread so far and so fast. Ironically, a critical patch was issued by Microsoft on March 14, 2017, nearly two months before the attack, that removes the underlying vulnerability for supported systems, but many organizations had not yet applied it.
If you’re a ShareVault customer, rest assured: ShareVault's diligent focus on layered security measures ensures your data is fully secure and safe from malicious attack. We hope your systems and data elsewhere fared as well.
In the wake of the attack, ShareVault has revisited security controls to assure this attack and the likely next generations of this attack are prevented. Since the May 12th wave of attacks, the malware has been upgraded at least once and will likely continue to evolve as organizations try to contain it.
Of all the articles and resources offering guidance on how to contain this latest threat, one stands out that I would like to share with you. Published by the FBI and distributed via their industry partner program, InfraGard, the article lists some useful guidelines on how to protect yourself from infection (below). It is likely your organization is already following many, if not all, of these recommendations. I encourage you to vigilantly keep the security of your data a top priority. Many of us have computing scenarios that complicate efforts to secure our data. I like the FBI’s set of recommendations because it focuses on issues closely related to the current threat and most of the measures can likely be applied where applicable without highly specialized or expensive measures.
As always, ShareVault is continually upgrading our infrastructure and security measures to assure we are ahead of this current threat and the next emerging threat to vigilantly protect the data you entrust to us.
RECOMMENDED STEPS FOR PREVENTION (from the FBI report)
- Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
- Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
- Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
- Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
- Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
- Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
- Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.
- Develop, institute and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
- Have regular penetration tests run against the network, no less than once a year, and ideally, as often as possible/practical.
- Test your backups to ensure they work correctly upon use.
On the Friday evening of the attack, a UK-based cybersecurity researcher inadvertently discovered a “kill switch” embedded in the code of the malicious software, which impeded the software from spreading. However, the masterminds behind the attack have already altered the code to get the ball rolling again, emphasizing the need to remain vigilant.
Learn more about how ShareVault is the industry leader in secure file sharing.