Patch or Perish – Lessons of WannaCry Ransomware

Last week, we saw one of the largest ransomware incidents in recent memory. Dubbed as WannaCry (also WannaCrypt, Wanna Decryptor), at this time, this malware is known to have infected over 230,000 computers in 150 countries.

While the scale of the attack may eventually reach the same notoriety of past attacks such as Slammer, Iloveyou, or the Morris worm, a couple of interesting points are noteworthy.

  • The WannaCry payload is delivered via common phishing techniques. There are estimates that several million phishing emails may have been sent.
  • When executed the payload will infect the target computer and also seek out other Windows computers on the network which may contain a vulnerability in SMBv1.
  • The Windows SMB vulnerability is purported to be exploited using EternalBlue which is believed to have been developed by the US government’s NSA. This exploit was released by the hacker group Shadow Brokers in April, 2017.
  • Patches for the vulnerability were made available by Microsoft in March, 2017 as part of security update MS17-010.
  • Variants of the malware is expected to surface this week.

The following systems are known to be vulnerable to SMB flaws.

  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows 8.1 and Windows RT 8.1
  • Windows 10
  • Windows Server 2008 and Windows Server 2008 R2
  • Windows Server 2012 and Windows Server 2012 R2
  • Windows 2016
  • Windows Server Core

The WannaCry malware will encrypt files on infected computers and prompt users with this message and demand $300 payable in Bitcoin.

Because of the nature of this malware, the WannaCry payload only needs to be executed by a single end-user behind an organization’s firewall. WannaCry will actively seek other computers from that single end-user to infect via SMB.

Organizations can take these simple actions to reduce the likelihood of a WannaCry infection. Such precautions should already part of any reasonable security program including:

  • Remind end-users to be wary of phishing emails. Social engineering training should be provided at least annually and testing conducted at least twice per year. A vigilant employee can be an organization’s biggest deterrent.
  • Deploy controls designed to quarantine malicious emails. Today there is little reason not to utilize one of the many anti-spam and anti-phishing email services. Implementing such services can be simple and extremely cost-effective.
  • There is little reason to run protocols such as SMB on the internet. A simple Internet scan shows that are nearly 400,000 SMB servers currently on the Internet today. And over 240K of those servers are running Windows.
  • On internal networks, disable SMB on systems that do not need it. As part of any server and end-point hardening program, unused services should always be disabled.
  • Firewalls should be used to separate security zones and protect critical areas. Firewall rules should always be deny-all and limit the protocols that can traverse security zones.
  • And most importantly – Patch or Perish. This simple adage holds true more than ever. A patch for the SMB vulnerability has been available since March, 2017.

Even with the best security controls, ransomware such as WannaCry can still occur. Malware outbreaks are inevitable and organizations should always be prepared.

  • A prepared organization should have a proper incident response process and procedures for dealing with incidents as incidents occur.
  • Backups provide a method to recover following any ransomware infection.
  • Be sure to protect your backups from infection. A proper backup process should segregate backup data from operational data.
  • And most importantly test your backup recovery procedure. A backup is only useful if the recovery process  works.

In the case of Ramsomware, there is always the temptation to pay the criminals. Ramsomware often includes the threat that the data will be erased by a certain time if the ransom is not paid. And a count-down clock adds a psychological element. There are only three options.

  1. Be prepared and never pay a ransom
  2. Be unprepared and suffer loss of data
  3. Pay the extortionists, perpetuate criminal behavior, and potentially invite more attacks. And there is no guarantee that the data can be recovered.

The No More Ransom is a project by law enforcement and IT security companies with the goal to help victims of ransomware and recommends #1.