On Friday May 11, 2017, the world learned just how vulnerable computer networks can be when not fully protected as it experienced a well-coordinated ransomware attack, known as WannaCrypt, or WannaCry.
Note: Ransomware encrypts files and makes them unusable unless payment (ransom) is made within a specified time. Malware and ransomware like WannaCry prey on weaknesses in network security systems due to out-of-date firewalls, operating systems and antivirus programs.
Are You at Risk?
That worldwide attack caused Britain’s National Health Services to cancel surgeries, shut down at least 40 major organizations across more than 99 countries, including a wide array of Russian and Chinese private and public institutions.
By the time the dust settled, this large world-wide cyber-attack, described by Europol as unprecedented in scale, infected more than 230,000 computers in over 150 countries.
Unlike previous ransomware, this attack did not spread by phishing emails, but used a leaked hacking tool or exploit called EternalBlue that was developed by the U.S. National Security Agency (NSA) to spread. The target of the ransomware were computer networks which had not installed recent software security updates (also commonly known as patching).
How Nonprofits And Associations Can Prevent Ransomware Like WannaCry
Here are a few things you and your organization can do in the meantime to protect your computer network systems from risks posed by malware like WannaCry or BlueDoom:
- Backup Your Critical Data and Systems
Ransomware encrypts critical files and in most cases, the possibility of recovery is suspect, even when the ransom is paid. When that happens, the best, and perhaps, the only way to get those files back is through restoring from backups. But this only works if there are backups in the first place. Although IT administratorshave been screaing about it for years, many small and medium-size organizations always seem to think that not having data backups is OK because “everything seems to be workling fine”, or “We’ve been in business for X years and nothing has happened”. Until something does happen and there begins a mad scramble for a fix “at any cost”.
The best defense against computer network risks like ransomware is a reliable backup scheme. We recommend a hybrid backup system where backups are made locally and replicated to an off-site location. Since the new starains of ransomware are expected to have the ability of spreading quickly through an infected network and encrypting files, embracing cloud backup services may be the prferred method going forward.
- Deploy Security Awareness Programs
Ransomware infections are mainly propagated through what is known as social engineering tactics like phishing, which happened to be the main vector for the WannaCry attacks. To this end, a computer security awareness program that teaches employees, partners and vendors how to identify scams, malicious links, and attempted social engineering would go a long way in reducing the risk of exposure.
Computer security awareness programs will show employees, partners and vendors to watch out for, and not click on malicious email and web links, avoid opening suspicious attachments on emails, and staying away from dangerous web sites.
It is to be expected that copy-cat attacks are bound to follow the WannaCry attacks, especially due to the global attention it generated. There will be offers of “security scanning”, “system checks” etc.
Please do not give strangers access to your computer for any reason. They will only install the virus you are trying to prevent in the first place. Make sure you diligently practice the programmatic basics, including limiting admin accounts to least necessary and performing regular vulnerability scanning. Enlist in ongoing training courses to keep your staff up to speed on the latest skills they need to develop.
- Block Access To Remote Desktop Protocol (RDP)
Remote Desktop Protocol or RDP, is a remote access tool developed by Microsoft and included in almost all versions of the Microsoft Windows operating system. It allows users to access their computers remotely, and has been determined to be a major source of the WannaCry ransomware attack on computer systems.
It is therefore recommended to block the RDP protocol at the firewall level. RDP mainly uses Transmission Control Protocol (TCP) port 3389. In addition, have your IT administrators review the best options for using RDP on your computer network if absolutely necessary. For example, Virtual Private Network (VPN) access should be a preferred method.
- Utilize Automated Patching
At the center of the WannaCry attack, and indeed most computer network breaches, is the existence of unpatched computer systems. Software and hardware updates, and security patches are released for a reason, yet many organizations do not deploy these patches at all, or wait for several months before doing so. Tech Prognosis recommends the utilization of Patch Management – a set of automation tools – in the detection and application of patches.
For example, even though vendors like Microsoft had released the fix (patch MS17-010) for the particular vulnerability that was exploited by WannaCry several months earlier, many organizations did not apply the patch. And in a lot of cases, many were using outdated computer operating systems like Windows XP which were no longer receving updates from Microsoft.
We could understand that in the case of many small organizations it could simply be a matter of not having the personnel. Yet, a lot of the stress could have been avoided through the outsourcing of computer maintenance, a solution we highly recommend.
If your environment will allow it, install the official patch (MS17-010) from Microsoft which closes the affected SMB Server vulnerability used in this attack.
- Deploy Endpoint Security tools
Make sure that all hosts have enabled endpoint security solutions. While there are many good solutions in the marketplace, vendors like BitDefender, Sophos, SentinelOne offer robust solutions which allows network administrators to ban the files used by WannaCry so that they are disabled from even running on the computer system.
In addition, it is also a good idea to combine a good EndPoint tool with a web content filering solution that can intercept and block the malware from connecting to the Internet to download instructions from its command and control network.
- Have A Business Continuity Plan
While Business Continuity and Disaster Recovery Plans are not everyday conversations small business owners and leaders have, now might be a good time to create, revisit, review, test, and update your organization’s incident response, business continuity and disaster recovery plans.
If your organization does not have a plan in place, Tech Prognosis can help you create and establish a plan that aligns with your business needs.
To learn more about ransomware and additional recommendations, particularly for Nonprofit, Membership Associations and Commercial Printing companies, request for our Business Advisory Guide, “What You Need to Know About Ransomware” here.