Global Outbreak Of WannaCry Ransomware: How to Protect Your Organization

13/05/2017 17:14:35
Global Outbreak of WannaCry Ransomware: Protect Your Organization
On the 12th May 2017, a new variation of ransomware called WannaCry infected 99 countries, attacking governments, schools, hospitals, and other industries.
Event Description
WannaCry ransomware is exploiting a major weakness in Microsoft systems that was discovered by the NSA and was code named "Eternal Blue". It is using the Windows vulnerability MS17-010 of the SMB port 445.

Microsoft had already previously released a patch to fix it, but many computers have not been updated yet.

After the system has been affected, it will display a message similar to this:
At the moment, many institutions have been infected. Once it is done, it will encrypt all of the disk files and the only way to decrypt it is to pay the ransom. Currently, there isn't any way to decrypt it.
Vulnerability Introduction
WannaCry takes advantage of a Remote Code Execution (RCE) vulnerability that is present in the part of Windows that makes it possible to share files over the network through what we call SMB services (Server Message Block). This vulnerability has been leaked through the "Eternal Blue" tool developed by the NSA, which can allow criminals to attack open port 445 of Windows systems and use system administrator privileges.

For your information, 445 port is a kind of TCP port. In Windows Server, this port is providing LAN file or printing sharing services. The attacker is establishing a connection through the port 445 to share and use a variety of information.
Which Systems Are Vulnerable?
1. All computer terminals & servers with Windows 7 and above with the open SMB port 445. Please verify if you have installed the Microsoft patch MS17-010. If not, please do it as soon as possible or you might be vulnerable to this malware.

2. All computers and servers (other than Windows 7 and above) might be vulnerable to this attack as long as the SMB services are opened. There is currently no patch to fix it.
How To Protect Your Organization
1. Upgrade your Windows systems and apply the Microsoft patch MS17-010 to fix this vulnerability. You can either use the Windows automatic update or manually download the patch with the below links:
Windows Vista, Windows Server 2008
Windows 7, Windows Server 2008 R2
Windows 8.1, Windows Server 2012 R2
Windows RT 8.1
Windows Server 2012

2. For users using Windows XP or Windows 2003, Microsoft currently does not provide patch to fix it. Please close and prohibit the use of the SMB port 445.

3. SANGFOR already provided protection against this SMB vulnerability more than 4 weeks ago. Sangfor NGAF users are advised to upgrade all security libraries to its latest version to prevent and protect your organization.

4. You must do a regular backup of all important data & systems !
Vulnerability Detection
Threats are continuously emerging and evolving. Make sure that your organization is safe by requesting a FREE security assessment of your Network.
What is Ransomware?
Ransomware is a malicious software that cyber-criminals use to hold your files (or computer) for ransom and requiring you to pay a certain amount of money to get them back by encrypting your files. Since its been discovered, Ransomware has been growing at a tremendous speed with more and more users being infected, both companies and consumers. This is critically affecting the productivity & reputation of many companies, which many of them are paying in the end.

Even if your organization is not protected by a comprehensive network security solution like Sangfor NGAF, there are still a few things that you do to prevent or at least minimize the damage.

1. Backup Your Data
Not only against Ransomware, doing a regular backup of your data can help you whenever your computer or network encounter a failure. Remember to do it on an external driver (better if password protected), which should be disconnected when not in use. This will avoid any access from it by Ransomware.

2. Show Hidden-Files extensions
By default, some Windows systems will hide known file-extensions (e.g.: “FILE.PDF.EXE”), so people might not be able to recognized a potential threat when they see it. Cyber-criminals know about this and will disguise the file under another name. By enabling show hidden-file extensions, you will be able to easily spot suspicious files.

3. Make Sure Your Computer is Up-To-Date
Many cyber-criminals will rely on existing vulnerabilities of users running outdated software to get access to their computer. Whenever possible, remember to do regular update of all your software, including OS system, and if possible let it run automatically for better convenience.

4. Do a System Restore Whenever Necessary
Remember to enable System Restore (if you are using Windows) whenever possible. This might help you to take back your system to a state before being infected by Ransomware.

5. Disable Remote Desktop Protocol (RDP)
Cyber-criminals might get access to your Computer through Remote Desktop Protocol (RDP), which is a tool available in Windows to allows others to access your desktop (for technical support & others). If you do not use it in your company, it is a good idea to disable it just in case.

6. Be Quick: Disconnect Your Internet Connection
If you suspect that your Computer got infected after opening a file with Ransomware, disconnect all connections to Internet IMMEDIATELY by closing your Wi-Fi connection and/or unplug your LAN cable. This will delay or stop the communication with the C&C server before it finishes encrypting your files, and if you are lucky, it might save you.

7. Filter “.EXE” Files in Emails
If your Company has a gateway email scanner and if it can filter files according to their extension (e.g.: .EXE), it could be a good idea to deny emails with the .EXE extension as it is really not often used on a daily basis.

8. Use a Reputable Anti-virus, Anti-malware and Firewall solutions
Even if this is only useful on a user-basis, it is always nice to have your own computer protected with a good anti-virus, malware and firewall solutions to help you identify and stop potential threats. There are many free software’s available on Internet, so if you do not have one at the moment, go and download them now!

9. Disable macros in Microsoft Office files
Microsoft Office documents containing built-in macros can contain embedded code written in programming language (VBA) and be dangerous as they can become a potential vehicle for malware such as Ransomware. Disable it for further security.

10. Last but not the Least, Educate your Users!
All the above advices are only useful if followed by every employee in the Company. That is why IT managers have to make sure that everyone knows about the risks of Ransomware, what it could do, and how to protect yourself or at least minimize its damage.
How Sangfor NGAF Can Help You !
Below are the main tools integrated in Sangfor NGAF that can help prevent your organization being affected by Ransomware.

Sangfor NGAF is the world 1st fully integrated NGFW (Next Generation Firewall) + WAF (Web Application Firewall). It can help you provide a comprehensive network security protection against current, emerging and future threats.

Anti-Phishing: Send out alerts on suspicious emails that could bring in Ransomware.

Anti-Virus: Clear out known Ransomware according to over 1+ million signatures in SANGFOR database.

Sandboxing: Detect and block emerging and new Ransomware by cloud-based threat analysis.

Anti-Malware: Damage remediation - keep Ransomware from spreading via corporate network and even block the encryption process.

Our Social Networks

Global Service Center: