Everything You ‘Wanna’ Know About WannaCry (Part 2)
Following from our last blog on the WannaCry attack, we’re now moving on to ways for you to protect your environment from ransomware. Ransomware isn’t like normal hacking: hackers are specifically targeting vulnerable systems who feel that they must pay because they don’t have other options. Any company that requires daily access to critical data is at risk: banks, hospitals, police departments and any large corporation.
While the WannaCry incident was a rather rare case of worldwide infection and hit systems without needing to open an email, the ransomware still spread across the network, encrypted everything it could find, and demanded payment in untraceable BitCoin.
There are few key things that need to done to best protect yourself from ransomware, but ultimately IT security isn’t just an ‘IT’ issue: it’s a business one. People need to be held accountable for poor security and IT security needs to be handled by an expert, not just a random member of staff. Should IT security be taken as seriously as any other business asset, then the profitability, processes, property and data of said business is under protection. IT professionals often want and understand the need to do the hard work, but the lack of support financially and professionally is an unwinnable battle; convincing higher-ups who have no idea about IT security about the intricacies of malware is difficult until an attack happens. By that stage, the nightmare scenario of lost profit, data and reputation has already begun, and IT professionals are left the responsibility of dealing with the problem and cleaning up the aftermath.
Back it up. Have a Recovery Plan
Backing up your data is an obvious solution should things go wrong, but it isn’t as simple as you would think; data is scattered everywhere, and in a perfect situation your data policies would minimize locations where users can store data, but that’s rarely the case. Ransomware encrypts everything, so even if your data is spread far and wide, it will get hit.
How about a disaster recovery site? It’s not the most convenient, but if your data is stored on servers then this should help you get back on your feet. However, if a ransomware attack is conveniently timed, for example, on a weekend when employees have already gone home and you don’t see the problem until Monday, does your system have a long enough retention period for a failover? Your recovery plan needs to take these kinds of situations into consideration—hackers don’t follow a 5-day work week.
Backing up to the cloud is a great option, but should you back up to a local storage device or server, these must be offline, used only when backing up, and not connected to desktop systems. Backing up isn’t an entirely painless process; it may take time for everything to be up and running again, and during this time work operations would stop.
Your PC is for Working, not for Storing
PCs are valuable assets to a company, and this in itself is a problem, as the data stored on them is valuable to others too! Even with a good disaster recovery plan and backups, PCs with data on them are still a problem, because these kinds of recovery methods won’t work for them. Ideally, everyone should treat a PC as a tool, not a storage space! Data should be stored in the cloud, and this doesn’t have be complicated; Group policy allows the desktop, ‘Documents’ and other folders to be redirected to a file server, so others in your organization won’t even notice. Data migration to the cloud is the most favoured situation, and there are many options available in Office 365, such as Office 365 Groups or SharePoint Online for shared storage.
Block it, Patch it
Microsoft released patches in March that protected users from WannaCry, but to expect users to download every update is a losing bet. For XP systems, a patch was released later, but this was an exception—Microsoft stopped releasing Windows XP support long ago. The only options in this scenario are to update your OS and start patching!
Restricting what software your users can download is also another option. Whitelisting software can prevent anything that is ‘unapproved’ by IT from being downloaded. Other methods can include limiting systems’ permissions to prevent them from installing anything without an administrator’s password. Admins can also segment critical data; instead of every employee accessing a file on one server, employees can be divided into smaller groups, so if one server is hit by ransomware, everyone else is still safe.
Infected systems must be disconnected from the network with Bluetooth and Wi-Fi disabled. This will prevent the infection from spreading to other machines. The strain of ransomware should be inspected afterwards, and hopefully, if it’s a known variant, anti-virus companies might have decryption methods to help you unlock your files.
While WannaCry didn’t come in email form, much ransomware does. Make sure your users are aware of the risks and are suspicious of unexpected emails. Hackers are becoming more and more advanced, and the days of poorly spelt emails and cut and paste logos are becoming less and less. The phrase “If it ain’t broke, don’t fix it” will never apply to technology, and especially not IT security!
Antivirus and Advanced Threat Protection
Other than updating your antivirus and updating to Windows 10, there still lies the risk of zero-day threats. A zero-day threat is a threat that exploits a vulnerability unknown to the user (or it is known, but hasn’t been fixed yet), so normal antivirus protections aren’t effective here. If developers don’t have an awareness of the exploit, by the time it has been discovered it’s already too late. To combat the risk of zero-day threats, installing firewalls, updating antiviruses, and patching your system is a good start.
Ultimately, no system is 100% secure, but in the case of the WannaCry attack, the appropriate measures weren’t taken. Not only were business operations driven to a halt, but hospitals were shut down and patients were affected. Malware is no joke, and the losses aren’t purely financial either—your information can be recorded and stolen, your network and systems can be infiltrated with serious damage can be done to your systems, keystrokes can be recorded and an attacker can even take control of your computer. More information on the different types of malware can be found here.