Xylos brands

WannaCry? We’ll get you smiling again

On Friday 12 May, a new version of ransomware WannaCry hit many countries worldwide. And the attack is still not over.

As long as we continue to unthinkingly open and left-click email files, this sort of problem will never go away. Anti-malware companies will grab the chance to promote their products. But, what lessons can we learn from this attack?

What is ransomware?

Ransomware is a form of digital extortion containing encrypted files. This infects your local machine and the connected file servers, and also the OneDrive file servers and other synchronisation tools. As soon as the files are encrypted, you receive instructions on your screen to pay for a code which will give you access to your data.

What makes this ransomware so different?

The noticeable difference with this version from the 'WannaCry family', is the fact that it spread very quickly. It takes only one single user to be infected, and, without realizing it, the malware spreads via SMB: the Windows protocol for file sharing.

What precautions can you take?

Ransomware changes and new versions appear all the time. You can take a number of precautions to prevent becoming infected:

  1. Security awareness training for your end users is not an unnecessary luxury. You can invest lots of money in IT protection, but, as long as users click on untrustworthy links, it won’t help. Organise an awareness campaign and monitor its efficiency by regularly carrying out a phishing test.
  2. Patching: malware uses vulnerabilities in systems that have been known for some time. An effective patching strategy is very important. For the experts: CVE MS17-010 received a lot of attention some time ago, because the NSA could use this leak for hacking activities.No time for patching? You can tighten your systems security (e.g. virtual patching) or try to intercept any vulnerabilities with, for example, an Intrusion Prevention System (IPS).
  3. Endpoint Security: the days of anti-malware based on signatures are over. Malware is changing too quickly. Larger manufacturers now have solutions that use newer methods, such as machine learning and sandboxing. The latter method is a way of automatically testing files in a protected environment (the sandbox). If the program behaves unusually in the sandbox, then you do not want to release it into the workplace.
  4. Pay more attention to email and Internet traffic. Almost all infections use these routes to access your organisation. Replace your old email antivirus and URL filter with a new protection program that checks every unknown file in a sandbox. If you receive an Office document that wants you to enable macros, think twice about doing so.
  5. Back up, back up, back up. We can’t repeat it often enough: create regular backups of your workplaces and servers. And make sure the backup is tested. Documents (and other files) can be saved to a cloud service (such as: OneDrive). The advantage of doing so is that you will have several versions of a file. If a file is encrypted, you can always restore a previous version.
  6. Administrator privileges: the question to ask is, can anyone in your organisation launch or install an unknown program. With the least privilege security model you can assign the privileges to the right users.

Too late, my files have been encrypted. What now?

Wipe the entire system and restore your backup. You don’t have a backup? A public decryption key is currently not available for this version. However, it is not advisable to pay. Not only does this encourage future attacks, often the key you receive does not work.

Prepare yourself for the worst

Prevention is better than cure! Remember, it can happen to you. Work out a disaster scenario on paper, with clear contacts and persons responsible, even if you only need one A4. In the event of something happening, it will save you a lot of time.

You also need to be technically prepared. Where the traditional Endpoint Security solution focuses on detecting and preventing problems, the so-called Endpoint Detection & Response technology (EDR) will help you to track them down. With EDR, you can determine how the threat occurred and where the similar indicators (files, certain IP communication, etc.) reside. There are ways to considerably limit the problem by, for example, automatically isolating these machines so they cannot continue to spread any malware via the network.

Conclusion

For many years Endpoint Security has received too little attention. Antivirus technology did not evolve properly, and was already outdated on release. It also slowed down your PC. The cheapest solution, in combination with a dose of common sense, ought to be able to protect us.

In the meantime, there has been a strong development in Endpoint Security, although, users’ knowledge lags way behind. Companies invest lots of money in IT protection, but, as long as users click on untrustworthy links, this won’t help. It is important to invest in awareness, and to continuously check your users’ knowledge. We can help you do this.

Need to vaccinate your users against malware? Make an appointment by contacting johan.celis@xylos.com.

Share this blogpost

Also interesting for you

Leave a reply

Your email address will not be published. Required fields are marked.