May 17, 2017
The WannaCry ransomware attack and how to protect your organization
With the recent WannaCry attack, ransomware is back in the news. Around 200,000 systems were hit by this malware, which blocked doctors from gaining access to patient files and forced emergency rooms to send people away. Unpatched Windows XP and Server 2003 systems were the culprit of this mass ransomware worm, which spread around the world via a few email link clicks.
What is ransomware?
As a refresher, ransomware is a form of malware that targets critical data and systems for the purpose of extortion. It's frequently delivered through phishing emails. After the user has been locked out of the data or system, the cyber attacker demands a ransom payment in order for the user to (supposedly) re-gain access.
How can you protect your networks?
Securing your network starts with user education and training – this way, your staff can be the first line of defense. Here are some of the preventative measures the U.S. Government (USG) recommends to protect computer networks from a ransomware infection:
- Implement an awareness and training program.
- Scan all incoming and outgoing emails to detect threats.
- Configure firewalls to block access to known malicious IP addresses.
- Patch operating systems, software, and firmware on devices.
- Manage the use of privileged accounts based on the principle of least privilege.
- Disable macro scripts from office files transmitted via email.
- Implement controls to prevent programs from executing from common ransomware locations.
- Consider disabling Remote Desktop protocol if it is not being used.
- Execute operating system environments or specific programs in a virtualized environment.
- Categorize data based on organizational value.
Infected with ransomware? Do this.
Health and Human Services' Office of Civil Rights requires healthcare organizations to report a health data breach of 500 records or more within 60 days of discovery. Should your preventive measures fail, here are some of the steps the USG recommends that organizations take:
- Isolate and remove infected systems from the network as soon as possible.
- Separate or power-off affected devices that have not yet been completely corrupted.
- Immediately secure backup data or systems by taking them offline.
- Contact law enforcement immediately.
- If possible, change all online account passwords and network passwords after removing the system from the network.
- Implement your security incident response and business continuity plan.
To pay or not to pay.
There are serious risks to consider before paying the ransom. USG does not encourage paying a ransom to criminal actors. Why? Some victims who paid the demand did not re-gain data access, some were targeted again by cyber actors, and some were asked to pay more to get the promised decryption key. Plus, paying could inadvertently encourage this criminal business model.
How law enforcement can help.
Law enforcement agencies and the Department of Homeland Security's National Cybersecurity and Communications Integration Center can assist organizations in implementing countermeasures and provide information and best practices for avoiding similar incidents in the future. Affected organizations should conduct a post-incident review of their response to the incident and assess the strengths and weaknesses of its incident response plan.
Report and mitigate ransomware attacks.
If you have questions or want more information about reporting ransomware attacks, contact the FBI cyber task forces at www.fbi.gov/contact-us/field or the internet crime compliant center at www.ic3.gov. To mitigate an attack, visit the Department of Homeland Security at www.us-cert.gov or the NIST cybersecurity framework at http://www.nist.gov/cyberframework/. Finally, our team is happy to help answer your questions or provide guidance; reach out to us.