Do you really want to make me cry
On Friday, May 12, the Internet was rocked by
a zero-day ransomware attack now known as WannaCry. WannaCry encrypts files on
infected computers and then attempts to extort a ransom from its victims. In
this case, the demanded payment was for bitcoins valued at $300 initially, with
an increase to $1200 US dollars as time went by. The initial infection vector
was by way of phishing emails, but an infected system would also attempt to
propagate the infection by exploiting unpatched vulnerabilities in the Windows
SMB service. The infection appeared first in the UK and Spain, but quickly
spread world-wide. We discussed the initial details of the outbreak in “How to protect
from WannaCry, the ransomware that infected the World” but in this post, we will dig
deeper into what you can do to protect your network from this and the future
attacks that will likely leverage some of the same NSA tools, and share some
news that those of you who were infected may find welcome.
Things you can do right now
- Get a file backup system set up and running RIGHT NOW. Even
if you are only going to use Volume Shadow Copy and an external USB drive,
having a backup of critical data is the first step in recovering from any
number of disasters, not just from malware. OneDrive for Business,
Dropbox, and other cloud based storage systems are another great approach
to take.
- Update! Seriously, go, right now, and
update everything you have. The biggest vulnerability
WannaCry exploited to spread was patched by Microsoft in March with the
release of MS17-010 on 2017-03-14. Admins running current systems, who
were impacted by the spreading malware exploiting this vulnerability,
share in the responsibility for the impact to their systems since a patch
was available several weeks before the exploit hit.
Microsoft even took the unprecedented step of
releasing patches for end-of-life versions of Windows, including XP and 2003.
These two operating systems have been end-of-life for years, but are still
widely in use.
- Upgrade! If you are still using end-of-life systems, and
there is any way to upgrade to a current version of Windows (or other
operating system) you need to do so. Seriously, the vulnerability
exploited was patched back in March for every version of the operating
systems in either mainstream or extended support. If you were current, you
were protected from the spread, though not the initial infection by
downloading and executing malware. For that, consider removing admin
rights from users, and using web filtering software to block downloads to
unknown or potentially malicious files.
- Lockdown and screen anything you cannot update/replace. If
you cannot replace them, upgrade them, or shut them down, then you should
reduce their connectivity to only the absolute minimum necessary to
provide their critical functions. Remove users’ rights to the system,
either remove the default gateway or ensure they must go through a proxy
with limited permitted access, and then pressure the vendor of whatever
application is keeping you on legacy operating systems to provide an
update to a supported version of Windows. There are lots of apps out there
that businesses need, and which don’t have versions that will run on
Windows 10, but those systems probably don’t need Internet access or for
regular users (with or without admin rights) to use as their workstation.
Firewall them off from anything they don’t have to communicate with as an
additional step so they don’t become patient zero on your network.
- Scan your network, and any cloud storage you are using in
your business, for files with the extension *CRY to quarantine any
infected systems.
- Disable SMB1.0. Seriously, it’s a 30 year old protocol and
nothing on your network should require it these days. If something does,
this is a great way to smoke that out and get rid of it! Start with “Disable SMB v1 in Managed
Environments with Group Policy” and work your way
through from there.
Good news for those who were
victimized
There is a “bug” in how the WannaCry malware
encrypts victims’ files. Adrien Guinet has released a tool that can help you
recover your encrypted files. The first tool can recover the private key (or
rather the prime numbers used) by WannaCry. You can download that tool from https://github.com/aguinet/wannakey and run it on infected machines, as long as they have not been
rebooted since infection. If that tool does recover the primes, you can use one
of a pair of tools to try to recover data. A github user who goes by the alias
odzhan has released wanafork, downloadable from https://github.com/odzhan/wanafork/, while Benjamin Delpy has released wanadecrypt at https://github.com/gentilkiwi/wanadecrypt. Use of any of these tools is for IT pros, as the instructions
are definitely NOT written for end users, and of course they are best effort,
nothing guaranteed, but anything is better than nothing, and these stand as
good a chance as anything of getting your encrypted files back.
If there are any lessons to learn from this
event, the most important ones are
- Legacy support may be necessary, but should never be your
long-term strategy
- Patching is good, and the risks of a bad patch are far less
than the risks from what can happen if you aren’t patching
- Users still fall for phishing attacks, so user education and
mail filtering are both more important than ever
- Backups are critical.
If you are not fully current, take WannaCry as
the wakeup call you need to get current as soon as you can. Based on what
ShadowBrokers have publicly stated, there are still more tools to release,
which means that more malicious attacks are soon to follow. While getting fully
current and completely patched may not protect you from everything that could
come up, we know that being on out of date operating systems and unpatched
computers is just asking for trouble!
Did you, or someone you know, fall victim to
WannaCry? If so, please leave a comment and let us know what happened and the
extent of the damage. No names or company names are requested…I just want to
get a feel for where things stand with our readers. Thanks!
