The WannaCry ransomware attack that began on May 12 infected 230,000 computers in more than 150 countries within a few days. The scope of the attack was unprecedented—which is just one reason that companies need to identify preventive measures now.
WannaCry spread through an exploit called EternalBlue that infected Windows computer systems through a vulnerability in the Server Message Block protocol. WannaCry targets and encrypts 176 different file types, including Microsoft Office documents, database, multimedia and archive files. It initially demanded payment of $300 in Bitcoin in return for restoring access to the encrypted data. But WannaCry will increase the amount of ransom incrementally after a certain time limit.
WannaCry is a particularly dangerous strain of ransomware as it propagates without user interaction by scanning not only other computers on the network of an infected computer, but also over the internet to exploit the same vulnerability and infect other connected devices. A security researcher discovered a “kill switch” in WannaCry and registered a domain name for a DNS sinkhole that greatly impeded WannaCry’s spread.
The devastating effects of WannaCry demonstrate the urgent need for organizations to adopt preventive measures before their computer systems become infected with ransomware. One of the most important things that organizations can do is keep their systems updated with the latest software patches. Organizations that do not install the latest patches are much more vulnerable. Many of the computers infected by WannaCry either had not yet installed the Microsoft security update or were running an older version of Windows for which no updates had been released. Although other variants of WannaCry without the “kill switch” began to appear, the widespread application of the Windows security updates slowed the number of new infections to a trickle.
Organizations should consider limiting the number of services on their systems. Running unneeded services provides more ways for an attacker to exploit a vulnerability on your system. Disabling the SMB protocol on systems that do not require it, for example, would protect against the spread of WannaCry. Deploying the latest firewalls, intrusion prevent systems and antispam programs would also maximize the likelihood of preventing an infection.
As with other malware, ransomware infections typically occur through spam emails and other social engineering attacks. Organizations should educate employees to verify the legitimacy of an email before clicking on any of the links in the email or opening any files attached to the email.
Preventive Measures Are Not a Cure-All
Despite the preventive measures organizations may employ, a ransomware infection may still occur. Organizations should plan for such possibilities by backing up all of their critical data and systems on a regular basis. Since ransomware may infect all drives connected to a network, backups should be both offsite and offline. Just as backups should be segregated, other parts of a network should also be segregated from each other if possible. Network segmentation can help contain a malware infection and reduce its impact on the organization. For instance, in the case of WannaCry, blocking access to SMB ports on computers could potentially limit its reach.
Organizations that do suffer from a ransomware attack have limited options. Unless the ransomware that infects their system is a known strain with a publicly available decryption key, victimized organizations should focus their efforts on restoring critical data through their backups to return to operation as soon as possible. Moreover, if an organization’s network is segmented and the ransomware only affects certain parts of the network, the infected computer or computers should be isolated from the rest of the network to lessen the risk of further infection.
Barring these precautions, organizations must confront the difficult decision whether to pay the ransom demanded by an attacker. Law enforcement guidance states that organizations should not pay. Paying a ransom does not guarantee that an attacker will restore access to the encrypted data. Nor does it prevent the attacker from launching another attack against the same organization for a higher ransom. However, if an organization lacks a viable backup of the encrypted data and possesses an immediate need for access to this data (as with health care facilities), the organization may have no alternative but to simply pay the ransom and assume the risk that the attacker will restore access.