16 May 2017
Blogs by author: Mark Hughes, President, BT Security
The WannaCry ransomware attack has affected more than 150 countries. Here’s our advice on steps you can take to keep your organisation secure.
Anatomy of an attack.
So far, the recent WannaCry ransomware attack has affected organisations in more than 150 countries around the world. If a machine becomes infected with it, it looks for files on removable storage devices or hard drives, encrypts them (using a 2048 bit RSA encryption algorithm) and demands that the user pays for an unlock code to retrieve their data.
The malware uses a vulnerability in Microsoft’s Server Message Block (SMB) protocol to spread itself indiscriminately around organisations. Typically, it uses the open port on firewalls (normally port 139 and 445) leaving any host on a network at risk of infection.
What’s interesting is that Microsoft had already spotted and patched the vulnerability on 14 March 2017. However, many organisations have been running on unsupported operating systems (such as Microsoft XP), have legacy IT, or have been slow to update. It was — and continues to be — these machines and networks that are vulnerable to WannaCry.
Steps to stay secure.
As a company that works in 180 countries, we see millions of cyber attacks every year. Based on this experience, we’ve put together four simple steps that you should take, to make sure WannaCry doesn’t play havoc with your systems.
Check you have Microsoft’s patch applied and running correctly across your global IT estate. Making sure you have the patch secured and running properly should be your top priority. When the dust has settled, you may want to review your patching and firewall policy update processes and ensure that you have a change-out programme for legacy that’s aligned with your risk profile.
Work closely with your antivirus vendors and Microsoft to ensure you have the latest virus protection available. At BT, we’ve worked with McAfee to guarantee that we have the most up-to-date DAT file, which we use to secure all of our desktops. You have to take a similar approach with your antivirus vendor.
Discover whether your network suffered any infection, limit the spread as far as possible then neutralise to avoid the malware detonating. If you uncover any instance of the malware, you want to enter a state of lockdown — not necessarily covering your entire estate, but containing the attack to the smallest radius possible. That makes it easier to neutralise and eradicate from your systems.
Isolate and rollback. Contain the affected machines, clean them, then restore the data. Once you’ve neutralised any source of infection, you need to get your data back — and the best way to do this is with an aggressive back-up strategy. If you have the ability to swiftly restore machines, you have a lot less to fear from ransomware.
Find out more.
Following these four steps should make sure that you find any ransomware on your system and deal with it appropriately. For more information on dealing with WannaCry — including extra tips from our Global CSO, Les Anderson, and insight into how we, as a company, dealt with the attack — take a look at the video below.
And visit our ‘Defend yourself against WannaCry Ransomware’ page.