Coalfire continues to closely monitor the WannaCry ransomware attack. Much has been written over the past few days about the attack. For those of you who may not have had time to review in detail and assess appropriate actions for your organization, we wanted to provide summary information.
In this post we provide information addressing the following questions:
- What is the WannaCry attack and how does it work?
- What short-term steps should you take to avoid this attack?
- What controls should you have in place to prevent similar attacks in the future?
- Should you pay a ransom and how does Bitcoin work?
What is WannaCry doing and how?
As you have likely heard by now, the malware has hit over 100 countries and 100,000 computer networks and is spreading rapidly. At its core, the malware exploits a vulnerability in Microsoft operating systems that was addressed in a March 2017 Windows Update (MS17-010). It spreads through two methods:
- A user opens a malicious password protected attachment, which exploits the missing Microsoft operating system patch and installs the ransomware agent;
- As a worm from an infected system, looking for systems on the network missing the Microsoft patch, it then replicates itself on the unpatched system.
Unlike most ransomware variants, this one is particularly devastating due to its worm-like propagation across network connected systems. Even if you haven't opened a malicious email attachment, you can still be infected by another system on your network.
WannaCry encrypts users' data files and asks users to pay a US$300 ransom in Bitcoins to get the files released. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.
Here are slides and brief webinar that will help you understand more.
What short-term steps should you take to avoid this attack?
In order to protect yourself from WannaCry ransomware, you should do the following:
- If you have not done so already, immediately install the Microsoft Security Update associated with MS17-010 on all Windows workstations and servers. There is no cost associated with receiving the Microsoft patch.
- Consider applying firewall rules to block TCP/UDP traffic to the following ports, even within internal network segments: 139/445 and 3389 (note: while this is not part of the SMB attack vector, it has been reported by US-CERT as a method of propagation and we have reiterated it here based on that publication).
- Ensure that you're running a Windows version that's maintained by Microsoft. Windows XP is no longer maintained, so even though Microsoft took the extraordinary step in releasing a patch for XP, it did so only after overwhelming damage had taken place.
- Some of the observed attacks use common phishing tactics including malicious attachments. Customers should use vigilance when opening documents from untrusted or unknown sources.
- Disable SMB file sharing services on your PC if not required for legitimate use. Microsoft has published guidance on this technique here. Note that this is not intended as a long-term solution, nor is it for the less technically savvy.
- Keep backups of valuable data stored offline!
If you need further help, the Microsoft memo includes Additional Resources. For ease of reference, here are those blogs and websites:
- Microsoft Security Response Center Blog
- Microsoft Malware Protection Center Blog
- Microsoft Safety and Security Center webpage
What controls should you have in place to prevent similar attacks in the future?
No two attacks are the same, but a number of cyber hygiene steps should be taken by organizations to mitigate risk moving forward. All organizations should have several controls in place to prevent and mitigate the impact of these attacks, including:
- Automatic and timely operating system updates on user workstations
- Good endpoint security and malware tools, especially built to detect ransomware
- Efficient email monitoring tools that can detect and block malicious attachments (especially password protected attachments)
- Automated (and periodically tested) data backup systems, which allow organizations to revert to a ransomware-free system
- A configuration management program that ensures systems run the least amount of functionality needed for business purposes
- Architecture design that ensures network traffic to and from critical systems, including user workstations, are restricted to only that required for the system’s function
- Cybersecurity awareness training that discusses phishing and ransomware as part of the organization’s evolving culture
All this being said, no organization is completely safe. If your organization has systems outside of the standard security configuration profile, take the following steps:
- Ensure that the system is running the latest operating system patches from Microsoft. You can check this through "Windows Update" under "Control Panel"
- Verify that antivirus is running and is up-to-date with the latest signatures from your vendor
- Ensure that a host-based firewall (such as Windows Firewall) is running at all times
- Continually reinforce good security hygiene with staff and instill a security-conscious environment
Should you pay the ransom and how does Bitcoin work?
WannaCry encrypts users' data files and asks users to pay a US$300 ransom in Bitcoins to get the files released. If you are a victim:
- Restore data from a backup if that data has not been encrypted or deleted
- Attempt to find a decryption key that may exist (many security vendors have been publicly releasing decryption keys for free usage). No decryption key exists for WannaCry at this time
- Make a business decision to move forward without the data that was lost, or pay the ransom
- Every company’s situation is unique and, if attacked, you should perform your own analysis of whether to pay the ransom. Law enforcement agencies are divided, but generally advise against paying digital ransoms on the basis that it could encourage more attacks, but this ignores the reality for organizations confronted with ransom demands. The costs of not paying, particularly in the immediate term, can be catastrophic — for some organizations, it could mean the decline of their business and for other organizations, safety and security issues rather than just monetary concerns, are relevant. By delaying the ransom payment, the costs of downtime and business interruption only increase
- Then there is the reputational damage that ransomware attacks can wreak. Cyber criminals cannot only withhold data until payment is made — they can also threaten to expose the data if payment is not made. This could severely damage an organization’s reputation and brand value, particularly if customer information is involved
Finally, if your organization is not familiar with Bitcoin, this link provides useful information, including how it works and how to get it.
How can Coalfire help?
Coalfire’s computer forensics and incident response team has managed response efforts to numerous service-disrupting events, including those involving ransomware. For assistance with your cybersecurity program, including assistance with understanding Bitcoin transactions (particularly those for high-value transactions), please contact your Coalfire representative or (877) 224-8077.
Mike Weber — Vice President, Coalfire Labs/ATD