Painful lessons from WannaCry Ransomware

By:

Publication: The Community Banker , Summer 2017

 

The Community Banker Summer 2017A specific type of malware named WannaCry made international headlines in May after achieving an unprecedented infection rate. Using EternalBlue, a recently leaked tool from the US Intelligence community, it installed malicious software that encrypted files then required victims to pay a ransom to restore them. The timing of this tool’s release and subsequent use in such a widespread event has taught – and retaught - network administrators around the globe to revisit the basic lessons of security.

Patching is still king.

Every conference, webinar, magazine, and coffee shop IT person will remind you to patch your systems. Thankfully, their constant reminders are less intrusive than ransomware locking down your files. When EternalBlue was originally released, experts anticipated the malware would primarily affect older Windows XP and Server 2003 systems. In reality, of the estimated 355,000 systems compromised by WannaCry, almost 80% were unpatched Windows 7 Pro and Server 2008 operating systems (https://intel.malwaretech.com/botnet/wcrypt). Microsoft released the patch MS17-010 to correct the vulnerability in these Windows systems on March 14, 2017. This means the administrators of these systems missed two full patching cycles and, as a result, suffered significant downtime and losses when WannaCry began its rampage two months later.

Hardware inventories are a must.

Once you are committed to patching on a very regular basis, you need to be aware of WHAT you are patching. Audits typically ask you to provide an inventory of software and systems. How often do you update this list on the fly before submitting it instead of reviewing it on a routine basis as part of your standard process?

An updated and accurate inventory of both software and hardware will simplify patching procedures. Additionally, as administrators or temporary stand-ins need to quickly ascertain the physical location of any infected hardware, this inventory needs to include all devices connected to your network. This goes beyond workstations and servers to printers, coffee pots, smart thermostats, etc. Everything with an Ethernet port or Wi-Fi card that connects to your network needs to be documented for patching procedures to be most effective.

Network segmentation keeps your ship afloat.

Even though you may maintain a list of devices that are patched on a regular basis, the next big malware event could use a zero-day vulnerability software vendors have not patched, much less been aware. You may have done everything right up to now, but persistent malware authors have the upper hand and you are always at risk of infection.

Network segmentation is your primary source for damage control in this situation. By logically separating your network, you create bulkheads in SS local.domain that keep critical systems such as servers isolated from workstations and printers. Some services may need to be whitelisted for vendor software to work, but it is far more effective to whitelist exceptions rather than maintain a blacklist of banned services.

Equally important is segregation of all the new Internet-of-Things (IoT) devices. Many smart thermostats, coffee pots, and the like contain the same vulnerabilities that affect our business systems, but will not receive timely security patches – if they receive any at all.

Security affects our daily lives.

WannyCry had very clear and profound real-world ramifications. It shut down the National Health Services for almost a full day. During this time, patient care slowed and prescriptions were not filled. We are fortunate that WannaCry affected few financial systems, but we must remain vigilant moving forward.