Nick Hyatt is a senior consultant with Optiv’s enterprise incident management practice. In this role, he specializes in incident response, threat hunting and digital and malware forensics.
WannaCry Ransomware Recommendations from the Trenches
Approximately one year ago, I wrote a blog post containing actionable recommendations to protect your environment from ransomware threats. In the wake of the recent WannaCry attack, I thought it would be prudent to update that blog and talk about what concepts have both changed and remained the same in the world of ransomware during the previous year. Obviously, the big threat on everyone’s mind right now is WannaCry, so let’s start there.
Backups – It is critical for organizations to have a consistent, tested disaster recovery plan that includes solid backups. This remains true concerning WannaCry. Optiv does not recommend paying the ransom; therefore, from a recovery perspective, companies must have tested, functional backups.
- Provides easy recovery from ransomware attacks – wipe the infected system and restore from backup.
- Test backups at regular intervals to make sure data is valid and useful.
Patch – Instead of restricting this recommendation to strictly Flash and Java, we’ll just leave it at patch. WannaCry harnessing the ETERNALBLUE exploit for propagation reinforces the fact that malware developers are actively seeking new methods of infecting systems and not just sticking to tried-and-true methods.
- There are myriad attack surfaces in an environment.
- Be sure systems are always up-to-date and patched to the latest version of the operating system and software.
- If possible, remove commonly vulnerable programs like Flash and Java from the environment.
Endpoint Monitoring – Tools that give a team visibility into the behavior occurring on the endpoint is tremendously useful in combating ransomware. This is even more critical with threats like WannaCry. Visibility into activity on an endpoint can help incident responders and threat hunters stop attacks before they become incidents.
- Due to the rapidly changing nature of ransomware infections, organizations must have multi-faceted endpoint protection.
- Endpoint monitoring solutions allow visibility into processes and network traffic running on endpoints.
- Endpoint monitoring solutions can block rogue processes pending further verification.
AppLocker and Software Restriction GPOs – A low-cost and effective way to restrict malware (not just ransomware) from running on systems is AppLocker and associated software restriction GPOs.
- Full documentation is available from Microsoft and is completely free.
- Features are similar to the software restriction policies of previous Windows versions.
- AppLocker is a more robust tool that provides more granular control over program execution.
Email Filtering – Filtering extensions in email will stop a lot of malware attacks in its tracks. WannaCry is an exception to many ransomware campaigns in that it uses an external exploit tool to propagate through networks and infect systems. Future versions of WannaCry, however, may use email delivery as an infection vector. Current ransomware campaigns like Locky are actively using email as an infection vector, so it never hurts to be prepared.
- Optiv recommends blocking executable and zip file attachments, and filtering all other attachments for manual review.
- Safer to block attachments and use a secure transfer option than to allow attachments that may harbor malicious software.
Cloud Access Security Broker (CASB) – CASBs are a helpful way to block traffic calling home to ransomware command and control servers. This applies to WannaCry as well, as sink holing the command and control domain will prevent encryption.
- Protects against more than just ransomware including traditional malware, botnets, etc.
Security Awareness Training – In the long run, it doesn’t matter what tools are implemented if a user is actively clicking on malicious attachments or taking actions that violate the acceptable use policy for a network. While WannaCry did not harness traditional methods of exploiting the human factor to propagate, future versions may do so.
- Security awareness training is an effective method of reducing the susceptibility of humans to ransomware campaigns.
- Companies should include how to spot phishing attempts, user created vulnerabilities, and how to spot malicious downloads as part of their training courses.
WannaCry is an outlier compared to traditional ransomware. Its propagation methods are a sign of things to come, though, so companies must understand their environments and the capabilities of their staff. The items covered in this post are very high-level recommendations but should provide a starting point for protecting against ransomware. However, the best defense is planning, preparation and effective controls—having a solid cyber security program in place and actively monitoring and adapting as threats evolve.