The ransomware cyber-attack that hit Europe on Friday and has been spreading around the globe has now affected hundreds of thousands of network systems that were left vulnerable to the malicious software. Security experts warn that while the initial attack may have been neutralized, imitation look-a-like attacks are even now hitting global networks.
The WannaCry software exploited a known Microsoft vulnerability for which there was already a patch in circulation. News reports suggest that relatively few recipients of the malware ransom request paid to get their data back, and that it therefore was not as effective as it might have been. What the individual or individuals behind the attack were counting on were thousands of systems who had not uploaded the fix yet.
However, because of the way the malicious code was written, we don’t know the attackers’ intent. Was it to try to make some quick money off of the low hanging fruit, was it simply a sloppy attack that was easily stopped, or were they testing the defenses and responses for a future attack that might be far more effective? We don’t know. But what we do know is that just because you haven’t been hit hard by WannaCry doesn’t mean you’re out of the woods. Another imitator could be following closely in this one’s tracks, or a far more sophisticated scheme could be in the works.
What we do know is that there are four steps that every one of our clients needs to know: Patch, Block, Monitor and Plan. Here’s what those mean:
Keep systems up-to-date
Make sure you are up to date across the board with all of your systems. Upload as part of your team a very specific Microsoft patch directed towards WannaCry and its offshoots, but also make sure that every other patch is also installed.
Identify the outbound connections to the ports being exploited and close those down. No internal user should be using those ports to external activities. Also review your inbound ports to close any vulnerabilities there.
Monitor networks and systems
Look closely at your network and systems environment for any suspicious or out of norm activity. Expect new attackers to regroup and find other exploits as they pivot to maneuver around the fix.
Make sure you are prepared if you do get hit. Take a thorough inventory of your most sensitive and critical data, and have a game plan in place in case something happens.
Finally, if you have any questions or want to talk through this attack, give us a call. Have as part of your team professionals like the experts at Dunbar who are actively tracking these types of events and can provide the support you need to keep you patched and safe. Call Dunbar Cybersecurity at 1-844-552-7028 or visit our website to learn more about our services.