Ooops, your files have been encrypted! – How to deal with the WannaCry / WannaCrypt ransomware attacks
As you will have read, there has been a worldwide outbreak of ransomware attacks over the last few days. Such as this article from the BBC .
Firstly, we would just like to assure all our existing customers that they are currently safe and we are doing all we can, using the best technologies to prevent future attacks. However, as we will have messaged, we are looking for you to be extra vigilant the next few days to help ensure your safety.
Now, if you’re not a customer of our managed services you may wish to read on as we discuss best practises to mitigate against WannaCry Ransomware Attacks.
Key MirrorSphere Recommendations
MirrorSphere feel that this widespread attack has certainly made itself aware and the messaging to our customers is to remain diligent as other malware strains will potentially be incoming.
All of a sudden it seems that this attack has made people aware of the world of ransomware. We have had many of our customers wanting to ensure that all systems are protected and even wanting the security of their data estate bolstered.
Firstly, it is important to understand that this affects only users of the Microsoft Operating System.
Patch your Microsoft Estate
Ensure that the MS17-010 windows update has been rolled out on ALL machines.
Manage Communication Protocols
Lockdown ports TCP 139 and TCP 445 as well as UDP 137 and UDP 138 to insure SMB is not allowed inbound at the edge of your network (perimeter firewalls or VPN tunnels to third parties).
WannaCry Ransomware Attack Specific Remedies
Currently there are 2 major flaws to the WannaCry ransomware attack that ensures there is an escape plan if affected.
1. Ensure machines can connect to www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com and www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com on port 80.
As you may have read , it was discovered that the ransomware was attempting to access these websites. While it did not point anywhere, the pure attempt allowed WannaCry access. After these domains were bought by a blogger looking into the virus, WannaCry lost the ability to corrupt the data. By allowing access to these addresses, the chain of events is broken reducing the impact of the WannaCry Ransomware Attack.
2. WannaCry only affects Windows versions older than Windows 10.
Since the attack, Microsoft has released updates and patches for the legacy systems to prevent this attack. So, if your windows machines are older than Windows 10, get updated now!
More Ransomware is Expected
Just because WannaCry is being dealt with does not mean we can now relax… Opportunist cyber criminals will take this as a way in. Not just because they have this base ransomware to build from and work on, but they will target the weakest link in any organisation – the end user. Even NCSC have released a statement imploring administrators and users to be more vigilant.
Key Strategic recommendations
It is very important to continue to use actively supported software (not just your Windows estate!). In this day and age of austerity people are hanging onto their assets for longer and this means that the legacy platforms that are not being actively developed are still being used. This gives rise to malicious software writers to exploit vulnerabilities within the code.
Patch management is also key. If you are a certain size business then this is an important element. Patching can be a bit of a dark art. For example ensuring that a patch does not affect any underlying applications or users in any way shape or form can be tricky.
It is recommended that you rollout patches within a lab or test environment first and ensure your users specific applications are fully validated. Vendors can often let you know about major patches but it is impossible for all vendors to fully validate every single patch that is released. Proceed with caution and patch where you can. The benefits of patching far outweigh the risks.
Deploy and Maintain an Anti-Virus and Malware Endpoint Solution
Keep your Anti-Virus up-to-date – any missed definition updates could lead to vulnerabilities. If you are using Windows Defender, WannaCry ransomware is detected and removed .
Maintain sufficient patch management
Patch management is also key. If you are a certain size business then this is an important element. Patching can be a bit of a dark art. For example ensuring that a patch does not affect any underlying applications or users in anyway shape or form can be tricky.
Utilise Email Security
Well over 90% of ransomware type attacks are coming in through email. Standard mechanisms and messaging platforms to deal with advanced attacks are not completely without flaws.
Specialist third party engines and providers can help you protect email by firstly filtering email links and only delivering them to the user if they are coming from a safe or known address.
End-user education is the big take-away from all this. They need to continue to be vigilant with what sites they browse, what is downloaded and what emails are opened. Administrators should try to enforce that only supported software is installed on the network to limit the chances of being infected.
Send in a Specialist
If infection has occurred and it doesn’t look like it can be resolved, a restore from a healthy backup may be the only way. For this to take place, you need to be confident in your backup and recovery procedures. Find out more how we can help you with this here.
If you are worried about Ransomware, have been affected by it or would like to enquire about our managed IT services, please fill out the form below: