When your CEO says, 

“I need to discuss how the company is protected against ransomware”. 

Here is what you need to do.

 

 

CEO.jpg

I am sure many of you are have received countless emails recently from IT vendors telling you to buy their hardware or software because it is the “best way to protect against ransomware”.  This is all well any good, but right now, you are probably more concerned with what you are going to tell your CEO when he or she asks “What measures do we have in place to protect us against ransomware attacks” or “Are we open to attack?”

Ransomware is one of the fastest growing industries on the planet.  There isn’t a week goes by without talk or somebody being attacked or a new threat emerging.  The reason.  Because it is incredibly profitable for its creators, who are also difficult to trace.  

Ransomware has, and still is, evolving. Like any malicious code, it is often designed to attack the unprepared. 

 

Cryptolocker

Most ransomware attacks use software, such as Cryptolocker, which enters a corporate network attached to an official looking email, addressed to a member of staff.  Often this looks like an invoice or other official document.  Opening the attachment will immediately encrypt the data on the owner’s PC and any attached file servers.   This is swiftly followed by a message saying “pay a ransom in the next few days or your data is gone for good.”  Not a lot of fun and quite scary for the individual and the owners or the company.

 

WannaCry – Ransomware Steps Up a Gear

More recently ransomware has taken a new twist. “WannaCry”, also known as Wcry, WanaDecrypt0r or WannaCryptor works by exploiting a security hole in the Windows operating system. Microsoft issued a patch in March2017, but any systems that haven’t been kept up to date with security patches are vulnerable.  

This doesn’t need human interaction for the infection to occur so, the attack can be much more widespread.  The number of computers that can be infected by this type of ransomware virus can quickly run into hundreds of thousands.  The effect to the user and the target organization is the same.  The user’s system is encrypted and a ransom notice flashes up on their screen. However, the infection can spread to multiple systems in a single organization if systems aren’t patched up to date.

 
 

 

What Can You Tell Your CEO?

This conversation can follow two routes:

  • This is what we have in place.
  • This is what we need to buy.

The second option is likely to be less well received, but it is also a great opportunity to get funding for something you really do need, to protect the organization.

So, let’s look at the measures you can take:

  1. Patch your systems:  This is an easy one, unless you have a lot of systems.  It just involves time.  If you don’t have time, you should suggest that you outsource the patching to an external managed service company, who can manage it for you. 
  2. Invest in some good quality anti-virus software:  Anti-virus software vendors make it their job to protect you against the latest virus strains and will happily tell you if their software protects you against ransomware viruses like WannaCry. This makes it easy to see if your software is up to the job. Again, if you don’t have suitable software, you can sign up for a managed antivirus service so someone else can make sure you are protected.
  3. Check your firewall:  Firewalls are designed to protect against outside attacks.  A recent blog article from SonicWALL, illustrates that they and other vendors are on top of things. Look for similar statements from your firewall vendor. If they can’t provide this, look to your CEO for budget for a replacement.
  4. Update your Backup Software: This may not be as obvious, but this can be your last and best line of defense.  If you assume that you will at some point, get infected, having the ability to recover systems without paying a ransom is quite important.  Modern back up software, that takes regular snapshots throughout the day and has the capability to spin up virtual machines, it the best way to avoid paying a ransom.  The infected system or systems can be isolated, formatted and reimaged from a recent clean backup in a matter of minutes.  Clean virtual machines can also be spin up from the last clean backup, to replace the infected ones. 

This eBook goes into more detail and gives an example of where Abtech was able to recover our client’s main file server in less than an hour with less than 5 minutes of data changes lost. 

 

The Meeting with the CEO – A Happy Ending

Armed with this information you can go into that meeting with the CEO fully prepared.  Making a statement like this:

All our systems are up to date and we have protection through our firewall and antivirus software, but I recommend we invest in a new backup system to ensure we can recover quickly if we are attacked

will reassure your CEO and senior management even if it may cost them some money. 

 

Further Resources and Actions Microsoft Recommend You Take:  

Download English language security updates: Windows Server 2003 SP2 x64,Windows Server 2003 SP2 x86,Windows XP SP2 x64,Windows XP SP3 x86,Windows XP Embedded SP3 x86,Windows 8 x86,Windows 8 x64


Download localized versions for the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
Read general information on ransomware: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx
Download MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx 

FAQs: 

Where can I find the official guidance from Microsoft? 

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ 

  

Is the update available for Windows 2003 & Windows XP as well? 

Yes. The link for download of the update is available at the end of this article 

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ 

  

Will the update run on unlicensed Windows? 

It is recommended that the update is run on a licensed version. 

 

What about Windows 2003 R2? 

The Windows 2003 update should get applied on Windows 2003 R2 as well.   

 

Will the installation of the patch, prevent the occurrence of ransomware? 

No. Applying MS17-010 is just preventing the malware from spreading, not giving protection against the infection itself. Based on reports, this malware is using Social Engineering to target companies.Please warn your users to not open, click or enable macros on email reception. 

  • The priority is that your anti-virus can detect the malware. 
  • Verify that you have up-to-date signatures, along with patching the Windows systems 
  • Make sure that users have the level of knowledge required to never click on suspicious attachments even if they are displayed with a familiar icon (office or PDF document). Where an attachment opening offers the execution of an application, users must under no circumstances should accept the execution and in doubt, users should you consult and/or consult the administrator. 
  • Implementation of strong filtering in O365: 

http://blogs.msdn.com/b/tzink/archive/2014/04/08/blocking-executable-content-in-Office-365-for-more-aggressive-anti-malware-protection.aspx 

  • Exchange Online Protection 

            http://TechNet.Microsoft.com/en-us/library/jj723164(v=Exchg.150).aspx 

            http://TechNet.Microsoft.com/en-us/library/jj200684(v=Exchg.150).aspx 

            http://TechNet.Microsoft.com/en-us/library/jj723119%28V=Exchg.150%29.aspx 

  

Security tips to Protect against Ransomware 

https://social.technet.microsoft.com/wiki/contents/articles/29787.microsoft-protection-center-security-tips-to-protect-against-ransomware.aspx 

  

Is the ransomware effective only if the user has administrative rights on the client machine? 

No. This piece of ransomware, like most of others, once executed, encrypts all files it can reach in the context of a user, if the user is an admin on the box the outcome is more devastating. In addition, this ransomware also tries to disable shadow copies and make some registry changes in HKLM hive which require administrative privileges. 

When it tries to spread, it uses a vulnerability, which once exploited gives the malware SYSTEM level access on the target system. All this means that this attack maybe very successful and destructive even if the users don’t have admin privileges on their unpatched workstations/servers. 

  

Is only disabling SMB v1 Server (LanmanServer) on all our machines helps us to protect from this vulnerability? 

Patch installation would be the first option. To answer the question, Yes. SMBV1 should be removed, but in a planned way. Please refer the below link 

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/ 

  

Do we need to disable SMB v1 client (Lanmanworkstation) as well on all our machines? 

No. It is only the SMBv1 server component (which means Lanmanserver), on the client machine and not Lanmanworkstation on the client machine. 

  

What is the impact of removing SMBv1? 

  • You’re still running XP or WS2003 under a custom support agreement 
  • Windows XP will not be able to access shares on a Windows 2003 Server or any other Operating System 
  • Windows Vista and above Operating System will not be able to access shares on a Windows 2003 Member Server or Domain Controller (if you still have them in the environment) 
  • You have some decrepit management software that demands admins browse via the ‘network neighborhood’ master browser list 
  • You run old multi-function printers with antique firmware in order to “scan to share” 

  

Please refer the below article for more details 

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/ 

  

If we must disable smb v1 Server service, what are the registry values to disable it? 

When using operating systems older than Windows 8.1 and Windows Server 2012 R2, you can’t remove SMB1 – but you can disable it: KB 2696547- How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 

Please refer to the below link for more details 

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/ 

  

How do we know SMB v1 is active in our environment?  Can we proactively check it? 

Yes. Please test this, before using in the production environment. 

https://blogs.technet.microsoft.com/ralphkyttle/2017/04/07/discover-smb1-in-your-environment-with-dscea/ 

  

Windows 2016 and Windows 10 provides a way to audit usage of SMBv1, which can be found here 

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/ 

  

Is Windows 10 affected as of now? 

https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack as of now.
 

  

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Customers running Windows 10 were not targeted by the attack today.
 

  

Windows 10 systems also need to be patched, because the variants can be developed. In addition to this, it would be recommended to remove SMBv1 from the clients and Windows servers, after doing a complete review of the below mentioned article. 

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/