Ransomware is a malicious piece of software designed to cause severe disruption and loss of service in return for ransom money. Your business is then forced to pay the attackers (usually in Bitcoin) to regain access to their files. The recent attack against the NHS and businesses in 90 other countries has made Ransomware at the forefront of every IT manager’s mind. The attack itself exploits a Microsoft Windows vulnerability that has been patched for some time – which emphasises the need for a comprehensive update regime.
Here are 12 steps that can help your business defend against WannaCry and similar Ransomware:
- Enable automatic updates in Windows. A significant percentage of attacks and ransomware infections are made possible through bugs and exploits in Windows. By enabling automatic updates, your PCs are updated soon after Microsoft releases the patch. You can use the Windows Minitool to enable automatic updates.
- Ensure you have backups. A simple one really, make sure that you backup all of your important files and data. For businesses, this should really form part of your DR and BCP planning. Having a comprehensive and regular backup regime is important to ensure you can recover from a disaster, such as an outage or a ransomware infection!
- Make sure your antivirus and endpoint protection is up to date. Antivirus won’t stop all threats, however it still has a place in the fight against malware. MTG recommend the use of FortiClient, Sophos and Trend.
- Consider advanced malware protection. There are several other solutions that provide advanced protection against malware, these include Bit9, CrowdStrike, SentinelOne and others. These solutions are more expensive than traditional AV but are often far more effective at identifying and stopping modern threats.
- Enable Intrusion Prevention System (IPS) and Antivirus on your firewall. The IPS and IP reputation systems of the Fortigate firewalls can detect unusual behaviour or network traffic destined to high-risk sources. If your business does not have IPS, consider upgrading or replacing your firewall.
- Install the MS17-010 patch. This patch specifically addresses the EternalBlue vulnerability, released in April. The patch can be installed using automatic updates or it is available here https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- Install an Internal Network Firewall (INFW). For organisations with several sites, a WAN or sites connected by VPN – an internal network firewall can ensure any malware infection does not spread between sites. For enterprise networks with multiple VLANs or functional departments, the INFW can screen traffic flowing between business units.
- Review your file permissions, consider least privilege. Does your business really need to grant access to ‘Everyone’ or ‘All Users?
- Sandbox. A sandbox will open files and check for malware or high-risk behaviours before the files are delivered to your users. A Sandbox can check e-mail attachments and files.
- A Secure Internet Gateway such as Cisco Umbrella can help prevent access to high-risk websites and may also help detect existing malware infections.
- Review activity. As an IT manager or business owner, you should be able to detect unusual activity or behaviour within your network or internet connection – this is often the first sign of infection. Consider using a SIEM or management service.
- User Education. The most important one. Train your users not to open attachments or links sent by untrusted sources. Human error and lack of education accounts for a significant portion of malware infections.
UPDATE : For users running Windows XP or Windows 2003. Microsoft has released patches https://www.engadget.com/2017/05/13/microsoft-windowsxp-wannacrypt-nhs-patch/
For home-users the steps are similar:
- Enable Automatic Updates
- Install the MS17-010 Patch
- Keep AV up to date
- User education.
- Consider a secure cloud gateway such as Cisco Umbrella or the free version (for home users)
Something like this is incredibly significant, we’ve not seen P2P spreading on PC via exploits at this scale in nearly a decade.
— MalwareTech (@MalwareTechBlog) 12 May 2017
If you would like any advice on how your business can enhance its defence capabilities to help safeguard the business against ransomware, please get in touch. There is no single solution and a robust defence is really the culmination of several controls (AV, firewalls, IPS, etc), user-education and support from the board.
For larger organisations with a far greater scope (and risk exposure!), you should consider investments in technologies such as IPS, sandboxing, internal network firewalls and managed services.
In the meantime, happy patching and stay vigilant.
Call : +44 1624 640400
E-mail : firstname.lastname@example.org