While organisations have been under threat from ransomware for years, the attack landscape has been very narrowly focused. Victims tended to have to manually enabled the attack through some method, such as opening email attachments or downloading unverified software. Much of that has changed with the current global-scale WannaCry ransomware campaign.
Tens of thousands of systems have been compromised, and the attack is ongoing. Along with peers in the industry, Carbon Black’s Threat Research Team has been actively analysing the malware and its threats.
We found that the ransomware does not have any truly novel tricks up its sleeve. It is standard ransomware that, upon execution, creates dozens of files in its current location and starts infecting the system. It targets a specific set of file extensions, more than 150 of them, beginning with known MS Office documents, which is also in line with many other known ransomware families. What is truly unique about it is its method of delivery, which is believed to be through the now-known ETERNALBLUE exploit.
While the number of incidents are extremely high, many are believed to be a result of poor security posture. Protection against the ETERNALBLUE exploit is fairly basic. The exploit targets servers with SMB network sharing exposed to the Internet, a feature that should be immediately considered for deactivation. Servers are targeted over the standard network ports for the SMB service, all of which can be actively disabled in an organisation’s firewalls.
More importantly, these exploits have been actively resolved by current, and ongoing, patches released by Microsoft. Patches should be considered for immediate testing and release within an environment. These suggestions follow the established SMB Security Best Practices.
Ransomware is on track to be an $US1 billion crime in 2017, according to FBI data. That’s a substantial increase from 2015, when ransomware was a ‘mere’ $24 million crime. Additionally, ransomware emerged as the fastest-growing malware across all industries in 2016. It appears that healthcare is now in the cross hairs.
An organization can take immediate steps to protect against WannaCry and other ransomware variants.
- Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it’s working.
- Secure offline backups. Backups are essential: if you’re infected, a backup may be the only way to recover your data. Ensure backups are not connected permanently to the computers and networks they are backing up.
- Configure firewalls to block access to known malicious IP addresses.
- Logically separate networks. This will help prevent the spread of malware. If every user and server is on the same network newer variants can spread.
- Patch operating systems, software, and firmware on devices. Consider using a centralized patch-management system.
- Implement an awareness and training program. End users are targets, so everyone in your organization needs to be aware of the threat of ransomware and how it’s delivered.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
- Enable strong spam filters to prevent phishing emails from reaching end users and authenticate inbound email using technologies such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent spoofing.
- Block ads. Ransomware is often distributed through malicious ads served when visiting certain sites. Blocking ads or preventing users from accessing certain sites can reduce that risk.
- Use the principle of ‘least privilege’ to manage accounts: No users should be assigned administrative access unless absolutely needed. If a user only needs to read specific files, the user should not have write access to them.
- Leverage next-generation antivirus (NGAV) technology to inspect files and identify malicious behaviour to block malware and non-malware attacks that exploit memory and scripting languages like PowerShell.
- Use application whitelisting, which only allows systems to execute programs known and permitted by security policy.
- Categorise data based on organizational value and implement physical and logical separation of networks and data for different organisational units.
- Conduct an annual penetration test and vulnerability assessment.
Stopping ransomware requires a defence-in-depth approach; there is no silver bullet to security. Software alone is not the answer. IT and SecOps teams must build a strategy that combines user training, next-generation endpoint security, and backup operations.
Every strategy should start with the simplest, most immediate risk-mitigation techniques available in order to limit the attack surface. Concurrently, user training and backup infrastructures should be evaluated, implemented, and practiced.
And please, patch, patch, patch!
Note: This article is written by Michael Viscuso, Chief Technical Officer and Brian Baskin, Threat Researcher, Carbon Black.