Author: Matt Ahrens
The WannaCry ransomware is staying true to its name, having infected systems in at least 99 countries, according to one CNN report. The mass infection rate is driven through an automated propagation technique, and exploits taken from the recent NSA tool leak. The replication method targets a Windows vulnerability and allows the ransomware to spread through environments once a single system is infected, forming a crypto-worm.
While the initial attack vectors are still being flushed out, early reports indicate a mix of remote access exploits, phishing campaigns, and additional leaked NSA exploits. Organizations already impacted by WannaCry should follow their standard disaster recovery plans to attempt to restore their services. For those not yet impacted, the following recommendations can help keep your environment safe.
- Update your Windows systems to the latest patches. Microsoft has released patches that fix the vulnerability WannaCry uses to propagate throughout environments. These patches include Windows XP, which is no longer officially supported by Microsoft, speaking to the significance of this threat.
- Segment your network to ensure Internet facing systems do not have direct access to the internal network.
- Ensure all remote access methods require multi-factor authentication. This will help mitigate unauthorized access into the environment with stolen credentials.
- Ensure AV is installed and up to date on all systems. AV companies have been closely monitoring the situation and are providing updates to help combat the threat.
- Leverage Intrusion Prevention Systems (“IPS”) to help prevent exploits from reaching systems in your environment.
- Educate employees on phishing emails and continuously test employees through phishing as a service tools.