WannaCry Deconstructed: Five Ways to Mitigate Ransomware Risks
Since launching on May 12, the WannaCry ransomware has made headlines around the world after infecting more than 230,000 systems across 150 countries. It’s captured the attention of the security community-at-large as the most notable strain of ransomware with worm capabilities, which enables it to automatically self-replicate to other nodes on the network. As a result, infection has spread at a speed and scale never achieved before. The ransomware attacks did not discriminate against organizational size or industry – many well-known companies were impacted including Dacia, FedEx, Nissan, Cambrian College, Renault, PetroChina and Shaheen Air. Thousands of ATMs and ticketing machines were also targeted and encrypted.
As our CyberArk Labs team recently outlined, WannaCry itself is a fairly common strain of ransomware. The propagation techniques used to spread the infection are what truly set it apart. WannaCry uses a nation state-grade infection vector — a Microsoft SMB vulnerability dubbed “EternalBlue”— that makes it exceptionally viral and its resulting propagation, exponential.
The ransomware encrypts the infected user’s files — from photos and videos to documents and databases. The now-infamous red ransomware note is then displayed, demanding approximately $300-$600 via Bitcoin payment in order to recover the files.
Five Best Practices to Mitigate Risk
Though WannaCry is in the spotlight today, ransomware will continue to evolve, and more advanced techniques will find their way into attackers’ playbooks. So what can organizations do to protect against WannaCry and other forms of ransomware that will undoubtedly emerge in the future? Here are five best practices to follow to mitigate risk:
- Always Backup: Whether you’re attacked by a new, exotic strain of ransomware, or your hard drive suddenly dies unexpectedly, backing up your important data is an important, table-stakes best practice. But remember — backups alone are not enough to protect against data loss from ransomware attacks, especially if organizations are exposing privileged credentials to attackers.
- Follow the Least Privilege Principle: Always configure access controls including file, directory and network sharing permissions with the least privilege principle in mind. Most users do not need admin privileges to do their required jobs on their corporate endpoint devices, so user access should remain at the minimal level that will allow normal functioning. While running as a non-privileged user does not make you immune to WannaCry ransomware, it can prevent the malware from carrying out certain malicious tasks, such as deleting shadow copies of the infected system’s files.
- Apply Application Control: Controlling which executables have access to your files can also contribute to defensive efforts. For example, if you put the PowerPoint executable in a whitelist as the only executable that has write access to your presentation files, then if a ransomware’s executable tries to encrypt and overwrite the files, it will be denied (as it is not on the “approved” whitelist). It’s important to also establish policies based on trusts that will protect these “trusted” or whitelisted applications.
- Disable SMB v1 and Apply Patches: To protect against the specific WannaCry strain, immediately disable the outdated Microsoft SMB protocol version 1 or simply apply the patch MS17-010 that Microsoft released a few months ago.
- Block Internet Access: The Microsoft SMB protocol is meant to be internal, so your network should not be open to SMB packets from the internet. Implementing port filtering to block all versions of SMB at the network boundary is also an important preventative measure.
As we advised in the wake of the initial attacks, organizations should immediately implement a combination of least privilege and application control policies on endpoints and servers throughout their organizations to mitigate risk. This can help prevent ransomware from maliciously encrypting files and deleting the snapshots that are often needed to fully recover from an infection. This is an essential layer in defending against future ransomware attacks.