Last week’s ransomware attack was one of the most widespread attacks we have seen, with (so far) more than 200,000 machines hit across more than 150 countries. Entities affected include healthcare institutions, communications companies, transportation hubs and many others. The U.S. Department of Homeland Security (DHS) issued a statement on the attacks, linking to previously-issued information on phishing and ransomware by U.S.-Computer Emergency Readiness Team (U.S. CERT).
WannaCry (aka WannaCryptor and Wana Decrypt0r) is a form of ransomware being spread through an exploit called ETERNALBLUE that infects Windows computer systems via a vulnerability in the SMBv1 protocol (MS17-010). WannaCry targets and encrypts 176 file types, including Office documents, multimedia files, database files, and others, and demands payment for a key to decrypt, or unlock, the files.
If you are running Windows computers in your environment that are not patched for MS17-010, you are likely at risk.
Most important is determining whether you have been impacted and, if so, taking steps to stop the spread. While a “kill switch” that neutered the original version of WannaCry was discovered and registered, new variants have already been identified. In other words, similar copycat attacks are likely especially since this attack garnered so much media attention.
This attack brought many issues to light, many of which will be debated for some time. What is certain, however, is that there are steps that should have been taken—and should be taken going forward—to prevent a wide array of compromises in the future.
Below are actions entities should take now to assess readiness and ensure they are in the best position possible before a similar attack:
- Evaluate internal patch management programs and immediately update systems when patches are made available, delay will leave you vulnerable to attacks and exploits
- Conduct vulnerability scans and penetration testing regularly
- Update, evaluate and test internal business continuity and disaster recovery program
- Be clear what your vendor and supplier business continuity and disaster recovery programs are
- Identify where mission critical data resides and whether regular backups are being made and redundancies are put in place
- Evaluate and test incident response plans
- Evaluate controls using a measurable and actionable framework
- Train and retrain employees about the latest phishing and social engineering techniques
- Evaluate whether your insurance policy provides adequate coverage for different types of attacks
While the use of and supportability of older operating systems remains an issue and should be evaluated internally, the importance of strong patch management programs for all systems and training remain paramount.
More information about the WannaCry attack is available here.