A major ransomware cyber attack broke on Friday May 12th, affecting many organisations the world over, reportedly including major telcos, NHS systems and transportation providers. The attack has spread to some 150 countries around the world. This is the first ransomware worm to ever be seen in the wild. The malware responsible for this cyber attack is a ransomware variant known as 'WannaCry'.
WannaCry gets installed through a vulnerability in the Microsoft SMB protocol, not phishing or malvertising. SMB is a network protocol used to share files between computers. The reason WannaCry is so catastrophic is that it can spread laterally on the same network, automatically installing itself on other systems in the network without any end user involvement. The malware is particularly effective in environments with Windows XP machines, as it can scan heavily over TCP port 445 (Server Message Block/SMB), compromising hosts, encrypting files stored on them, and then demanding a ransom payment in the form of Bitcoin.
The best prevention to from being infected (other than going back to pen and paper!) is to apply the MS17-010 patch from Microsoft, this has been out since mid-March this year, but Microsoft didn’t originally release and update for XP as it’s End of Life, hence all the issues in the NHS as they still run a lot of XP.
Microsoft has now released an emergency patch for Windows XP and other End of Life Operating Systems. While this has protected newer Windows computers that had Windows Update enabled, many computers remained unpatched globally.
A defense-in-depth strategy is always the best approach to information security.
Remember, this is a vulnerability of Microsoft Windows and as such the following best practices are recommended to combat attacks based on Microsoft SMB:
To be clear, if the vulnerabilities aren’t patched, an organisation will continue to be at risk for infection by this ransomware. However, the following Cisco Security products can limit the installation, spread, and execution of WannaCry:
There is likely to be variants of WannaCry in the coming days and weeks. While the current variant will be added to anti-virus signatures, the new variants have the best chance of being detected by the modern behavioural techniques in Cisco AMP.
Forfusion is offering organisations a FREE Threat Scan Report, which can provide a comprehensive analysis and plan for protecting against ransomware.
To apply, visit www.forfusion.com/free-security-scan or email firstname.lastname@example.org.