If “past is prologue,” then the WannaCry ransomware outbreak earlier this month portends an era of rapidly multiplying, increasingly damaging ransomware attacks. This is supported by the 2017 Data Breach Investigations Report by Verizon, which found that ransomware is the fifth most commonly reported malware; that’s quite a leap from a position of 22nd place just three years ago. Today, WannaCry stands out as the largest attack of its kind, disrupting production and services in both government and private enterprises and causing historic damages.
The result of the April 2017 dump of NSA-developed exploits, the WannaCry infection spreads through Microsoft’s SMBv1 via older versions of the Windows operating system. Although Microsoft issued a patch for the vulnerability shortly before the NSA dump, many systems had not yet applied it, rendering them defenseless when WannaCry hit a month later. Its self-propagating properties allowed WannaCry to go from only one vulnerable computer to infect a larger and otherwise healthy network.
Individuals and organizations in 150 countries around the world whose computers were infected have picked up, dusted off and moved on. Despite the loss of approximately $100K in ransom fees, we can be grateful there was no loss of life resulting from widespread hospital closures in the UK when critical health data was stolen and encrypted. This incident may be over, but unfortunately, bad actors are constantly planning bigger, deadlier attacks – making it imperative that we all re-evaluate and update our security postures.
At Carahsoft, our vendors have done an outstanding job of communicating how to do that. It’s a lot of information though, so we’ve broken it down and compiled a list of the seven most commonly cited tips for preventing a ransomware infection:
- Block Vulnerabilities: Block SMB access to the Internet, which runs over TCP ports 137, 139, 445 and UDP ports 137, 138.
- Update Systems and Software: Keep your operating system and other software updated. New vulnerabilities are discovered all the time, as are new ransomware variants. Once discovered, companies will often include patches in their updates. Be sure to take advantage of patches and keep your security system up to date.
- Monitor Emails: Email is one of the main infection methods. Look out for suspicious links and attachments, and issue bulletins immediately if something is detected.
- Limit Privileges: Use least privilege, giving only enough access to resources for employees to carry out their job duties. Reduce and restrict administrative privileges, and segregate administrative accounts from system administrators and user accounts. These measures can help contain damage from compromised user accounts.
- Backup and Store Data: Regularly backing up data is the best way to fight ransomware because attackers only have leverage over you if they possess the only set of files. With data backed up and stored offsite, victims can simply restore them after the infection has been contained and removed.
- Limit Devices: Pay attention to employees connecting potentially infected outside devices, such as PCs, to the network. This is especially important for those who telework.
- Move to the Cloud: Among its other benefits, the cloud can help reduce the impact of a ransomware infection, due to its ability to save many previous versions of the same file.
For more insight and advice about how to protect your agency from WannaCry or other ransomware, contact Carahsoft for help in identifying the right solutions.