Hopefully you were one of the prepared organizations who avoided the latest Ransomware worms that made its way around the globe this past week. This worm crippled dozens of companies and government entities, as it impacted over 230K computers in 150 countries. Most of the infections were in Europe, Asia, and the Middle East, so if you did not get hit, you were either prepared, or lucky. This blog post will help you be prepared for when this happens again, so that you don’t have to rely on luck.
Patch everything you can, as quick as you can
The exploit at the root of this Ransomware worm was resolved in MS17-010, which was released in March of 2017, giving organizations more than enough time to download, test, pilot through your UAT (User Acceptance Testing), and deploy to Production. While introducing new patches and changes to your environment carries risk of breaking applications, there is far more risk in remaining unpatched – especially security specific patches. Allocate the proper resources to test and roll out patches as quickly as you can.
Run the newest OS that you can
While the EternalBlue exploit that was patched by MS17-010 was applicable to every Windows OS, you were safe if you were running Windows 10 due to a security feature called ELAM (Early Launch Anti-Malware). Many of the infected machines were running Windows XP, or Server 2003, that did not get the MS17-010 patch (Microsoft has released a patch for these OS variants after the infection, please patch if you still have these in your environment). It is not possible to secure Windows XP or Server 2003. If you insist on running them in your environment, assume that they are already breached, and any information stored on them has already been compromised (You don’t have any service accounts logging into them that have Domain Admin privileges, right?).
Proper perimeter and host firewall rules help stop and contain the spread of worms. While there was early reports that the initial attack vector was via E-mail, these are unconfirmed. It appears that the worm was able to spread over the 1.3 Million Windows devices that have SMB (Port 445) open to the Internet. Once inside the perimeter, the worm was able to spread to any device that had port 445 open without MS17-010 installed.
Turn off Unnecessary Services
Evaluate the services running in your desktop and server environment, and turn them off if they are no longer necessary. SMB1 is still enabled by default, even in Windows 10.
These types of attacks are going to be the new normal, as they are extremely lucrative for the organizations who are behind them. Proper preparation is key, as boards are starting to hold both the CEO and CIO responsible in the case of a breach. While you may have cyber-security insurance, it may not pay out if you are negligent by not patching or running an OS that stopped receiving security updates 3 years ago. I would recommend to be prepared for the next attack, as you may not be as lucky next time.
Additional Layers of Defense to Consider
For those over-achievers, additional layers of defense can prove quite helpful in containing a breach.
1. Office 365 Advanced Threat Protection – Protect against bad attachments
2. Windows Defender Advanced Threat Protection – Post-breach response, isolate/quarantine infected machines
3. OneDrive for Business – block known bad file types from syncing
Good luck out there.