Protecting your organisation from ransomware
- Posted on May 25, 2017
Ransomware has been making big news in the last week. The cruel reality of the global ransomware attack that crippled computer systems in 150 countries is that the attackers took advantage of under-prepared computer users and their organizations.
Ransomware attacks have been dramatically increasing since 2015, with over 4,000 ransomware attacks daily in 2016. This correlates to a 300% rise in ransomware incidents.
Ransomware can be particularly impactful to organisations negatively. Corporate data and information stored on local employees’ PCs, as well as shared file servers, can be used to hold an organisation at ransom and only given back once payment is made
While WanaCrypt0r (WannaCry) has been the most prevalent malware in the media, new attacks like Adylkuzz are underway. In Adylkuzz’s case, instead of encrypting a victim’s data, the resources of the PC are consumed for mining bitcoin.
Both attacks can infect target hosts by exploiting a vulnerability called ‘EternalBlue’, exposed through the NSA leak earlier this year. The vulnerability exists on all operating systems from Windows XP through to Windows Server 2012.
Microsoft patched the Windows vulnerabilities in March. Many would expect that this would be the end of the story but no so unfortunately. What these attacks have highlighted is that organisations and individuals can do better at protecting and securing their systems. Undoubtedly, WanaCrypt0r and Adylkuzz are not the last attacks that will take advantage of this security vulnerability, and rest assured, attackers are already looking for the next vulnerability to exploit.
To help organisations protect themselves as best they can from these attacks, I would recommend the following be considered at minimum:
- Retire or quarantine Operating Systems that are no longer receiving support from Microsoft. These operating systems will not receive security updates to address vulnerabilities attacks take advantage of. While Microsoft patched unsupported operating systems this time, this will not be the case for future attacks.
- For Operating Systems that are still supported, make sure that those systems are part of a patch management system and that timely critical patches are being deployed. Systems should have Windows Update turned on or be receiving timely updates from a patch management system.
- Audit your environment for machines that are either not supported or not patched. There should be an action plan to address these machines.
- Validate adequate protection is installed on Operating Systems that are supported. Built-in protection like Windows Defender or 3rd party protection can help prevent malicious code from running on a system.
- Prevent malicious content from reaching user systems in the first place. Technologies like e-mail advanced threat protection or content scanners for web browsing are able to prevent scenarios where malicious code ever reaches a user’s machine.
- Ensure that data within the organisation is protected. Reducing the amount of data that is vulnerable will help reduce the scope of an attack. Make sure users have “rights only” to file locations where they need access.
- Finally, as a last resort, validate that your data is safe and recoverable should it be compromised by an attack. Backups and disaster recovery plans should exist and be tested frequently to make sure they are effectively able to protect data.
While the list above is by no means the only steps that should be taken, these are some basic principles to provide assurance that you’re prepared for the next attack.