WannaCry Ransomware

Share This:

WannaCry ransomware — also known as WCry, Wana Decrypt0r, WannaCrypt, and WanaCrypt0r! With the ongoing attack which started last week and after receiving several calls and mails over the weekend for some advice on how best to protect against ransomware, I thought I would put together some advice.

Backup

With any form of Ransomware, the first real defence is being able to recover access to your data, this is where back-ups come to the rescue.

Think about your backup strategy – ensure that you have access to previous back-ups also in the event that the latest is not recoverable.

When reviewing backup Strategies – think about Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO)
Ransomware effects Business Continuity by preventing access to your data. The Recovery Point Objective is the maximum time that data may be lost. If the RPO is set for 5 hours, then nightly back-ups will not suffice.

The Recovery Time Objective Is the amount of time that a service must be restored after loss.

In order to identify the required RPO and RTO, I would suggest that all organisations review their Business Impact Assessments with regards to Data Loss to identify required recovery times and options available.

It is also not good enough to simply perform a backup, you must ensure that it has completed successfully and that you can restore same. Don’t forget to have previous copies of backed up data, Think Grandfather, Father, Son etc. Also ensure that the backup is protected.

 

Patches

It is imperative to apply patches and updates, this version of Ransomware affects Operating Systems through a vulnerability with SMB (Server Message Block) which has been patched, Microsoft have also released a patch for Windows XP, these are located here

Microsoft vulnerability (MS17-010):
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Windows XP and Legacy systems are here:
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks

Block SMB Traffic

Because the vulnerability affects SMB, it may be advisable to block these services from systems and firewalls (SMB is used for accessing shares, so obviously care has to be taken to ensure that it is not required for any existing business software functions)

Details on how to block SMB on Windows systems can be located here

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

 

Anti-Virus

It is always important to use and keep Anti-Virus products up to date

User Education

User education and Awareness is key, users must be educated about these types of attacks and how to defeat them. Don’t forget we run a number of Cyber Awareness programs which inform users about Ransomware amongst other vectors, for more details see
http://www.ipa-sec.org/courses/half-day-cyber-security-briefings-for-staff-and-senior-management/

 

Links of Interest

Europol NoMoreRansom project, This site has a lot of practical information about ransomware attacks and has decryption keys for some versions of Ransomware https://www.nomoreransom.org/

Previous articles on Ransomware

http://www.ipa-sec.org/ransomware-part-1-what-it-is/

http://www.ipa-sec.org/ransomware-part-2-from-knights-to-the-international-aids-conference-and-beyond/

http://www.ipa-sec.org/ransomware-part-3-threats-and-culture/

 

 

 

 

 

Posted in Cyber Awareness, End of Life / Support, Ransomware, Security Attacks, Vulnerabilities and tagged , , , , , .