The WannaCry ransomware attack has been big news since Friday, May 12, 2017, and organizations are scurrying to understand and mitigate the risk from this attack. The following is a very quick summary of the attack and specific action steps you can take to help protect your organization.
This type of ransomware is unique because it can spread to other vulnerable systems on the network. WannaCry takes advantage of a known vulnerability in most versions of Microsoft Windows (specifically MS17-010) to spread itself to other Windows machines on the target’s network. The first version had a kill switch so that it would not propagate itself if a certain internet host’s DNS name was found to be live, but at least one recent version is reported to have removed this kill switch and is currently in the wild, so this attack is still a risk. More versions are certain to come. If a machine is affected by the attack, it will be subject to a typical ransomware scheme and display a recognizable extortion screen.
Mitigating the Risks
Here are a few immediate steps you can take to minimize your organization’s risk:
1. Immediately Update All Windows Systems
This vulnerability has been fixed since March 14, 2017, and updated computers are not vulnerable to the worm-like attack functionality. This vulnerability affects both current and older operating systems including Windows XP, Windows 8 and Server 2003. In addition to applying currently available patches, be aware that Microsoft has taken the unusual step of creating updates for outdated operating systems as well as current systems.
2. Identify and Update Unmanaged Windows Systems
It is the experience of CDW’s penetration testers that most organizations do not regularly patch all their Windows systems. Of particular concern are systems that are “off the radar,” such as machines not joined to your domain or vendor-maintained systems, some of which you may not even know about. We recommend performing a full scan of your internal network using a tool such as Tenable’s Nessus or arrange for a penetration test from an organization such as CDW that use a mature assessment methodology. If you cannot patch your systems for some reason, you may be able to partially protect yourself by disabling SMBv1 on these systems, although this may not work for all future variants.
3. Disable or Thoroughly Clean Affected Machines
In addition to encrypting files, this malware may also leave behind a backdoor such as DOUBLEPULSAR or other malicious payloads. The safest approach is generally to wipe the computer thoroughly and restore data from before the incident.
4. Block Windows Ports on Your Firewall
Block both incoming and outgoing SMB ports on your internet border including TCP ports 139 and 445 as well as UDP ports 137 and 138 – these should be blocked to limit the spread of the malware’s worm component. If possible, also block these ports using internal network segmentation on connections to internal destinations such as other VLANs, remote WAN connections and IPsec tunnels. This will limit the scope of attack on your network.
5. Create and Monitor DNS Entries
Create a DNS entry to activate the kill switch on the original version of the attack on your local DNS server that points the FQDN of www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com so that they point at a known-working HTTP server and monitor your DNS system for hits. Your systems must successfully resolve this DNS name in order for the kill switch to work. Also, take this step on any proxy servers or similar security devices on your network. Review the logs – if any of your internal machines are performing DNS lookups for this address they are quite likely vulnerable and will need to be investigated. This step will not protect you from current variants but may help you identify older ones.
6. Train Users on Phishing Awareness
Communicate with your users immediately to ensure that they are aware of the risk of this particular attack as well as being resistant to phishing attacks in general. Consider phishing exercises and training for a longer-term solution.
7. Keep Unmanaged Systems off Your Network
As this system takes advantage of an older attack, the primary risk is to systems that are not well maintained. In addition to untracked and vendor-managed systems, also be very careful about allowing guest devices to connect to your internal network, as these devices are likely not under your control and are less likely to be patched. It only takes one machine that is actively infected to be plugged into your network for this attack to spread to other machines that might otherwise not have been exposed.