WannaCry Deconstructed: Five Ways to Mitigate Ransomware Risks

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

Since launching on May 12, the WannaCry ransomware has made headlines around the world after infecting more than 230,000 systems across 150 countries. It’s captured the attention of the security community-at-large as the most notable strain of ransomware with worm capabilities, which enables it to automatically self-replicate to other nodes on the network. As a result, infection has spread at a speed and scale never achieved before. The ransomware attacks did not discriminate against organizational size or industry – many well-known companies were impacted including Dacia, FedEx, Nissan, Cambrian College, Renault, PetroChina and Shaheen Air. Thousands of ATMs and ticketing machines were also targeted and encrypted.

As our CyberArk Labs team recently outlined, WannaCry itself is a fairly common strain of ransomware. The propagation techniques used to spread the infection are what truly set it apart. WannaCry uses a nation state-grade infection vector — a Microsoft SMB vulnerability dubbed “EternalBlue”— that makes it exceptionally viral and its resulting propagation, exponential.

The ransomware encrypts the infected user’s files — from photos and videos to documents and databases. The now-infamous red ransomware note is then displayed, demanding approximately $300-$600 via Bitcoin payment in order to recover the files.

Five Best Practices to Mitigate Risk

Though WannaCry is in the spotlight today, ransomware will continue to evolve, and more advanced techniques will find their way into attackers’ playbooks. So what can organizations do to protect against WannaCry and other forms of ransomware that will undoubtedly emerge in the future? Here are five best practices to follow to mitigate risk:

  1. Always Backup: Whether you’re attacked by a new, exotic strain of ransomware, or your hard drive suddenly dies unexpectedly, backing up your important data is an important, table-stakes best practice. But remember — backups alone are not enough to protect against data loss from ransomware attacks, especially if organizations are exposing privileged credentials to attackers.
  2. Follow the Least Privilege Principle: Always configure access controls including file, directory and network sharing permissions with the least privilege principle in mind. Most users do not need admin privileges to do their required jobs on their corporate endpoint devices, so user access should remain at the minimal level that will allow normal functioning. While running as a non-privileged user does not make you immune to WannaCry ransomware, it can prevent the malware from carrying out certain malicious tasks, such as deleting shadow copies of the infected system’s files.
  3. Apply Application Control: Controlling which executables have access to your files can also contribute to defensive efforts. For example, if you put the PowerPoint executable in a whitelist as the only executable that has write access to your presentation files, then if a ransomware’s executable tries to encrypt and overwrite the files, it will be denied (as it is not on the “approved” whitelist). It’s important to also establish policies based on trusts that will protect these “trusted” or whitelisted applications.
  4. Disable SMB v1 and Apply Patches: To protect against the specific WannaCry strain, immediately disable the outdated Microsoft SMB protocol version 1 or simply apply the patch MS17-010 that Microsoft released a few months ago.
  5. Block Internet Access: The Microsoft SMB protocol is meant to be internal, so your network should not be open to SMB packets from the internet. Implementing port filtering to block all versions of SMB at the network boundary is also an important preventative measure.

As we advised in the wake of the initial attacks, organizations should immediately implement a combination of least privilege and application control policies on endpoints and servers throughout their organizations to mitigate risk. This can help prevent ransomware from maliciously encrypting files and deleting the snapshots that are often needed to fully recover from an infection. This is an essential layer in defending against future ransomware attacks.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
1000 Followers
About CyberArk
CyberArk is the only security company that proactively stops the most advanced cyber threats – those that exploit insider privileges to attack the heart of the enterprise. The company has pioneered a new category of targeted security solutions to lock down privileged accounts and protect against cyber threats before attacks can escalate and do irreparable business damage. CyberArk is trusted by the world’s leading companies – including more than 40 of the Fortune 100 – to protect their highest value information assets, infrastructure and applications, while ensuring tight regulatory compliance and audit requirements.
Promoted Content
7 COMMON PRACTICES THAT MAKE YOUR ENTERPRISE VULNERABLE TO A CYBER ATTACK
Advanced cyber attacks involve compromised privileged accounts. Cyber attackers target them because they represent the keys to the IT kingdom. Effective enterprise security includes proactively protecting privileged accounts. Industry experts have identified practices that increase an organization’s vulnerability to a cyber attack. How many of these are common at your organization?

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel