cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Ransomware WannaCry? Not Me. Here's Why.

Product Manager
Product Manager

The latest attack seemingly took the world by surprise. However, most of the affected users were using unpatched and unlicensed versions of Windows. How do we take a stand against ransomware and avoid being sidelined by these attacks? Here are a few things that I do and am happy to share in an effort to help strengthen your resistance against these attacks.

****

Update:  Assuming is never a good idea! Of course, your need for data backups is critical in ransomware attacks. But, it's not enough to have backups. You must also validate that they are usable and that the process works through testing.

****

  1. File Integrity Monitoring
    1. Monitoring your files for things like changing file extensions, moving of files, and authorization. Log & Event Manager (LEM) is vital in this to help protect your businesses information.
  2. Group Policies for Windows
    1. Cryptolocker prevention kits that do not allow ransomware to install in their most common locations.
    2. Make sure the Users group does not have full access to folders. I see this a lot, where a user group has full access to numerous folders.
    3. Make sure that users do not have rights to the registry!
  3. Static Block List
    1. Block known Tor IP addresses example: 146.185.220.0/23
  4. Limit network share access
    1. If they are able to penetrate and get to a server, you do not want to freely allow the ransomware full access to network shares. You also do not want a general user to have access to network shares that hold mission critical data. Think about this. Make sure you are applying policies and not giving users access to things they shouldn't. Allowing such gives attackers the same level of access.
  5. Update patching on servers
    1. If you are not patching your servers, you are not up to date on the malicious vulnerabilities that are already known. Stop being low hanging fruit and start being the insect spray to keep these attacks to a minimum.  Patch Manager will help you schedule and push these out so you are not worrying about being up to date. 
    2. The lab environment is key to making sure your third-party software is easily able to receive a patch. We all know that when a software or application is released, it is not aware of what's coming in the future. That is why installing a lab environment to test patches is a great way to help you patch and not be worried about breaking an application in the process.
  6. Spam
    1. For the love of everything great, update your spam filters. This is key to helping you keep malware from getting to people that are not aware of these attacks, which results in them being blamed. Preventing these emails of destruction helps keep your teams aware. You can even use them as user education.
  7. Test your plan
    1. Test out a fake ransomware email with your business. See who reacts and within what departments. This will help you to train people within their areas to not react to these type of emails.
    2. You may be surprised at how many people will click and simply give away their passwords. This is an opportunity for you to shine as an IT organization by using this information to help get funds and user training for the business.
  8. Web filter
    1. Control the sites that users can access. Use egress or outbound traffic filtering to block connections to malicious hosts.
  9. Protect your servers and yourselves
    1. Have a companywide anti-virus/malware program that is updated and verified. Patch Manager will help you determine who is up to date and who is not!
  10. Web settings
    1. Verify that your web settings do not allow for forced downloads.

There are lots of ways to protect ourselves at work and at home. The main reason why I focus on the home in my user education is because we can prevent these from work -- to a point. However, when the user goes home, they are an open door. So including user education to go over ways of protecting home environments is as much of a responsibility for the IT team as it is for the users themselves. Once home, the ransomware could decipher that blocked call and take over your machine.

We can try to protect ourselves with things like LEM, which alerts you when users come online, and see if their files have changed or are being changed.  However, NOT clicking the "click bait" email is what will ultimately help end-users be stronger links in the equation.

I hope this prompts you to raise questions about your security policies and begin having conversations about setting in place a fluid and active security plan. You never know what today or tomorrow will bring in bitcoin asks...

34 Comments
Level 13

awesome, thanks Dez

Level 14

Good stuff Dez

Thanks for posting.

Level 13

Set-SmbServerConfiguration -EnableSMB1Protocol $false

MVP
MVP

Very good. Even the best of us get over provisioned and miss steps or portions time to time. I love checklists to help me avoid missing things.

MVP
MVP

Your lab should be realistically close to your production environment to test your patching and other activities....

The one thing I see missing is backups...especially in Ransomware events.

Gotta have good tested and validated backup and recovery just in case....

Thanks Dez

We have been using knowbe4.com as a training resource for this very thing.  I love it, I have at least 2 campaigns a month with it and the users are doing good thus far, but there has been a handful that click the links and i have to send them for more training.

Also i think you summed it up.   But i think modern applications and appliances are also more equip for these modern issues.   I really like Cylance for my desktop scanning which is by far head and shoulders over Symantec, ESET, Carbon black etc...  I think everyone should think outside the box, because patching and filters are not always enough, especially for remote users and traveling sales.  Cyren and other tools really can help keep you safe on the road.   The more creative we are the harder the scumbags have to work to steal our money, data and time.  I move we create anti-hacker / anti-scumbag coalitions.  Someone needs to start striking them back.

Product Manager
Product Manager

You're only as good as your weakest link.  That being said a campaign and on going training can help tighten that chain!

"It is a Circle of Trust" 

~Dez~

Product Manager
Product Manager

THANK YOU!   Another great point of why I like teams to work together to catch a near miss   or an assumption as that is never good for anyone.

~Dez~

MVP
MVP

Any time ~Dez~ !

We are all in this together...gotta watch everyone's back.

Level 15

Information and education.  Our only true weapons.  Great article.  I too appreciate checklists.

Level 20

Some good suggestions there... we do all of the above for the most part.  A big reason a lot of people are hit with this recent event was due to not applying the March Security rollup from Microsoft.

MVP
MVP

Great post!

Just disable SMB1 everywhere.

These should not have to be said:

  • Keep your systems patched
  • Keep your systems up-to-date with anti-virus / anti-malware solutions
  • Back up your files to off-line / off-site storage solutions
  • Retire obsolete operating systems like XP
  • Do all these things in a timely fashion

It doesn't save money to avoid moving to newer operating systems when Microsoft (or others) declares your existing systems obsolete and/or unsupported.  It puts your system at risk of easy compromise and loss.

How do you manage mobile & tablet infections?

Level 9

Your last sentence seems to imply you blame bitcoin, was that your intent?

Level 9

Checklists are the best.

MVP
MVP

reset to factory and then update to current.

hopefully you have the apps backed up...

Level 20
MVP
MVP

Good article

MVP
MVP

MVP
MVP

we just got this, it will be interesting to see it in action

Level 14

Well written Dez​.  Another item that can help at work is a Passive Vulnerability scanner.  It is a Snort like sniffer that can catch old, insecure protocols being used on the network.  It then can reset the communications path and alert on it.

Product Manager
Product Manager

No, I don't blame any outside party for being used in malicious intent.  Just stating that generally "they" are the go to route of funds. 

However,  I'm glad you caught the tip of the hat there.

~Dez~

MVP
MVP

Have you looked into InfraGuard? I was a member when I lived in Oklahoma City and that branch is very active. InfraGuard is sponsored by the FBI so there are a lot of good assets available.

Product Manager
Product Manager

100%!   Thank you for adding this into the arsenal!

~Dez~

Level 14

Doesn't apply to Windows 10 either.

Product Manager
Product Manager

Nope, but in general, these should help you keep a leg up on these attacks.  Hence patching and upgrading to resolve known issues.

~Dez~

Level 13

Great ideas ... Thanks.

What Passive Vulnerability scanners have you used, and what's your degree of satisfaction with them?

Level 14

Tenable.  It is part of the ACAS system the DoD is now using.  Quite satisfied.

Level 11

Yes, good info for all, Dez!

Level 15

Seemed to reasonably priced per scanner.  What volumes have experienced it with and how well does it integrate into SIEM systems?

Level 15

Tks for your article.

Level 11

Just thought I'd share a recent article from curtisi​ on this subject: WanaCrypt v1 Detection Rule

Log & Event Manager (LEM) and Patch Manger users should find a lot of value in this. For those of you that are new to these solutions, this provides a small taste of the capabilities of each product to respond to such threats. 

About the Author
I started in networking and security around 2002 by taking Cisco Certified Network Associate and Security+ courses from Central Vo-tech. This is where I fell in love with technology in general. From there I venture out to internships and started using the Engineers Toolset from SolarWinds which made me wonder about software. The company I was with purchased Cirrus which is now Network Configuration Manager (NCM) and I was officially hooked. I searched out for SolarWinds and well you guessed it I started working for them and believe it or not in sales. That was the only position open but I knew I wanted to be here. So I quickly worked my way in to the support side and became the first Sales Engineer and then the first Applications Engineer. Since I am a very curious person I have since in my 9 years of being at SolarWinds decided to pursue more education. Security is always a fascination to me so I started taking classes on INFOSEC Assessment Methodology (IAM) and INFOSEC Evaluation Methodology (IEM) of the NSA. Then I went and took the CIW Masters for web development and ventured to databases. MCITP SQL Server and Development certifications that led me to a database development degree in college. I’m pretty much a jack of all trades and LOVE IT! This all applied to my work with SolarWinds as I wanted to be able to help customers solve their issues or needs. So knowing more information allowed me to do this successfully. I also dabbled in Cisco UCS management and currently taking classes to venture toward a CCIE (crossing fingers). NCM is a product that I have worked with since its beginning. I even had the opportunity to fly to the NSA to create templates for some of their devices. I used to be the sole MIB database controller so I’m definitely your huckleberry on MIBs and OIDs. As an Applications Engineer I focused on Network Performance Monitor, Network Configuration Manager, Web Performance Monitor, Enterprise Operations Console, Patch Manager, User Device Tracker, and the Engineers Toolset. See why I like to constantly learn new things I had a lot to be on top of! SolarWinds is a passion of mine still to this very day. My new role as a Product Manager for NCM is home to me. Funny how I circled around back to my favorite product that got me here in the first place. :) My goal is to educate and work with customers to leverage our products to their fullest degree!