WannaCry (WCRY) Ransomware is serious threat to business, it is a special kind of virus used by hackers to lock access to important files on user’s computers; and they ask for money to unlock the files again. Cyber extortionists trick victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files. The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access.
Best Practices that can be followed by users
- Be careful while clicking on links coming over emails and do not open emails attachments coming over unknown senders. Pdf, word, excel, power point, zip and Rar files are most common to carry Ransomware.
- Ensure the automatic updates are enabled on the systems. Install Microsoft Patch MS17-010 which addresses SMB vulnerability used in this WCRY Ransomware attack. Ref: https://technet.microsoft.com/library/security/MS17-010
- Ensure that the system is running with latest version of Antivirus along with updated Signatures.
- Ensure you have backup of your important files.
- Do not download software from unknown sites
- Do not logon as “Administrator” on your computer for regular / daily use.
- Do not connect to unknown Wifi networks and turn off Wifi when not needed.
- Prevent using unknown USB drives – they may contain malware.
- Disable Macros in MS office products.
Best Practices that can be followed by Organization in their Network
- Conduct Periodic penetration tests on the applications and network to identify and remediate the vulnerabilities.
- Develop, institute and practice employee security awareness programs for identifying scams, malicious links, and attempted social engineering.
- Lock down mapped network drives by securing them with a password and access control restrictions. Use read-only access for files on network drives, unless it is absolutely necessary to have write access for these files. Restricting user permissions limits which files the threats can encrypt.
- Establish a Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC) and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing which is adapted by most Ransomware to reach corporate email boxes.
- Restrict execution of powershell /WSCRIPT in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
- Isolate communication to ports 137 and 138 UDP and ports 139 and 445 TCP in organizations’ networks. It is strongly recommended not to open following ports to the external world on the network perimeter firewall.
- Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
- The malware uses TOR (THE ONION ROUTER) hidden services for command and control (C&C) connection. Monitor the encrypted communication from internal to external network at the Network Perimeter devices.