The global spread of the WannaCry ransomware and the subsequent publicity related to it, have prompted many questions coming our way from clients. "Are we protected?" "What can we do to make sure we don't get this?"
What's Ransomware?
I'll start with some background. WannaCry, or WannaCrypt, as it's also known, is a malware program in the ransomware family. Ransomware itself isn't new, and various forms of ransomware (CryptoLocker, CryptoWall etc.) have been out in the wild for several years (see my post about ransomware from 2013). Ransomware works by encrypting your files, and then demanding payment to get the keys to decrypt the files.
In the past, many of these programs spread as attachments to emails that used social engineering techniques to make you think you had received some important communication, for example, from a bank or a delivery company, and once you opened the attachment, your computer was infected. The ransomware program searches through the computer for files it can encrypt and goes about its work in the background. Once it has completed encrypting everything it can find, it then pops up a notice demanding payment to give you back access to your now-encrypted files.
WannaCry and EternalBlue - which is which?
What makes the WannaCry outbreak different than others is the delivery mechanism it used to spread itself. An exploit called EternalBlue, allegedly developed by the NSA (they won't confirm or deny, of course) and leaked online in April, uses a flaw in Windows to allow a malicious program to gain access to a Windows computer, and that is how WannaCry got spread to most of the victims' computers. Microsoft became aware of this vulnerability before the leak occurred, and they issued a patch on March 14. Any Windows computer that installed security updates after March 14 was not vulnerable to the EternalBlue exploit (though they could still have been infected with WannaCry through other means, such as an email attachment). EternalBlue was the delivery mechanism, WannaCry was the payload, the thing that actually did the encrypting.
How To Protect Against Ransomware
Protecting against malware is a constant effort that requires a multiple-layer approach. No "silver bullet" will guarantee absolute protection, but all of the following can help make sure you aren't victimized.
Backup, backup, backup. Let's start with the worst-case scenario, what happens if you get hit with ransomware? The absolute best defense if you are affected by ransomware is to have a solid backup strategy. We recommend one that includes onsite and offsite backups, including continuous backups of changed files to the cloud. This is what we have in place for a majority of our Managed IT clients' servers, and it has proven highly effective when we have needed to recover from a ransomware attack. (As much as we try to avoid it, sometimes you can't prevent people from clicking on malicious programs.) This two-pronged backup strategy has allowed us to get our clients back up and running quickly with little to no loss of data, and without having to worry about paying any ransom. It is not recommended to pay the ransom. You're dealing with anonymous, dishonest criminals, and there's no guarantee that they'll give you anything after you pay them. Additionally, giving these crooks money only ensures we'll keep seeing more and more of this, because we will have made it profitable for them.
Use up-to-date software and install security patches. Of course, ideally we want to prevent this from happening in the first place. Anyone who installed security updates to Windows since March 14 is not vulnerable to the EternalBlue method of spreading the ransomware, but unfortunately many businesses (and individuals) are slow to install security patches. Our patch management process is designed to make sure our clients get their security patches installed every month. On your home devices, run updates regularly when they become available. And stop using old, unsupported software like Windows XP and older browsers like IE 6/7/8/9/10.
The Case for Limiting Access Permissions
Ransomware typically runs under the user account of the person who launched it, and has all the same permissions as that person. If there is a mapped drive to a server that the user has write access to, then the ransomware can encrypt those server files too, not just the local PC that got infected. This is one reason we strongly recommend that companies only give employees access to the files and folders they need to do their jobs. Companies that are subject to HIPAA compliance, PCI-DSS, or similar regulations are required to do this, but we recommend that all companies follow this practice.
It isn't just a matter of trusting your employees. Opening up permissions to everything for everyone, even if you trust them, increases your vulnerability in the event someone's PC is compromised. The same goes for managers and IT administrators. Their regular user accounts should not have administrative privileges. Everyone should run as "regular" users, and have a separate account with escalated privileges that they log into only when needed for a specific task.
Practice Safe Computing. A significant part of computer security consists of safe computing practices by end-users, i.e. don't open attachments you don't recognize or weren't expecting, don't visit unsafe websites, etc. Be especially wary of documents sent by email that you weren't expecting.
Use a good email filter. We recently upgraded providers, migrating all our clients to a new and better email security provider within the last year. This provides protection from email-borne attacks like spam, phishing attempts, and malware attachments.
Employ Unified Threat Management (UTM) for your network. The majority of our clients have purchased, at our recommendation, a Meraki security appliance that is constantly scanning all inbound traffic looking to recognize and block any network traffic that appears to be a virus/malware. It is also helpful to block certain web traffic, especially sites that have the potential to spread malware.
Use Antivirus Software, and ensure it's kept up-to-date. Antivirus software on the PCs themselves is important. While it can't catch everything, and "zero-day" threats are always an issue before AV software makers can recognize and update against a new threat, virus scanning and prevention is still an important layer of protection.
What Else Can We Do?
Security is not an exact science, and there is always more that can be done. It's a balancing act between increasing security and avoiding disruptions and frustrations for users. If we make end users jump through too many hoops in the name of being "secure" then we cut into their productivity, and tempt them into finding ways to circumvent security (like writing passwords on sticky notes because they are required to change them so often).
Businesses need to strike a good balance between "safe within reason" while still maintaining ease of use on the one hand, and being "locked down" but making things more inconvenient for users on the other. Part of that balance is assessing the likelihood of an attack, and the impact it would have, versus the loss of productivity caused by overly restrictive policies. It's not an exact science, and we welcome feedback and input from our clients on what works and doesn't for them.
As always, if you have concerns, questions, or would like to discuss what is being done and what can be done in your situation, please feel free to contact me anytime.