Defending against WannaCrypt and other Ransomware Attacks

The WannaCrypt attack, a massive ransomware attack impacting businesses and individuals alike, has been making headlines around the world. Not only did this event hit a large number of victims, this attack has been further sensationalized because it utilized exploits said to be developed by the National Security Agency (NSA) and released by the Shadow Brokers.

Organizations should learn from this incident and use it as an opportunity to advocate for the importance of implementing effective security controls, policies, and procedures. Soteria recommends the following security measures to harden your organization against future ransomware attacks:

1. Ensure that systems are fully patched. For those customers which are using unsupported versions of Windows, Microsoft has taken the extraordinary step of releasing patches for Windows Server 2003, Windows XP, and Windows 8. Further information and vulnerability patches may be found in the Microsoft Security Bulletin MS17–10.
2. Ensure that anti-malware solutions are updated regularly. All major vendors are closely monitoring these campaigns and are updating their signatures as quickly as possible. Ensure that your organization is receiving and installing these updates regularly.
3. Block all inbound traffic that is not absolutely necessary. This particular malware spreads by exploiting a flaw that requires a Windows device to be accessible on TCP port 445 There are almost no situations in which a Windows device should have this port accessible from the internet. Ensure your firewall rules are up-to-date, and conduct scans on your infrastructure to verify.
4. Filter outbound network traffic and internal network traffic. In the event your organization is compromised, do not allow your devices to be used to further spread the worm. Additionally, ensure traffic between internal network segments is filtered as much as possible. If a successful infection occurs, containing the infection to a single VLAN can prevent a bad problem from becoming a complete disaster.
5. Educate your users. It is important to remember phishing emails are still the most successful attack vector cyber criminals leverage when launching ransomware scams like this one. Use this event as an opportunity to remind your employees of your firm’s procedures for appropriately reacting to the receipt of a suspicious email.

For questions or concerns about the WannaCrypt attack or other security-related topics, contact Soteria’s security team for assistance.

Originally published at https://soteria.io/wannacrypt-ransomware/ on May 16, 2017.