The WannaCry (aka WannCrypt, WannaCrypt0r 2.0 and Wcry) global ransomware attack raises significant concerns about wide scale attacks from self-propagating ransomware. It appears the initial threat has been stopped by malware researcher MalwareTech. However, the underlying threat is still present and there is consensus copycat (and better designed) attacks are imminent.
Viruses and malware that infects one computer and then uses that computer to launch attacks on nearby computers is not new. Ransomware that self-propagates is a more worrisome because of the impact to critical systems, shutting down an entire organization in the case of the U.K. hospital affected. The attack used multiple infection techniques – phishing emails, malicious links and local access from other infected systems to encrypt user files and then launch additional attacks against other computers. The WannaCry attack leveraged recently disclosed vulnerabilities in the Microsoft Operating System (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146 and CVE-2017-0148). Microsoft issued a patch for the vulnerabilities in March 2017 (MS17-010) and due to the WannaCry attacks, Microsoft took the unusual step of immediately issuing patches for unsupported operating systems (XP, Vista, Server 2003, and several variations) (KB4012598).
Although a great deal of press coverage has focused on healthcare entities, the attackers are targeting organizations all over the world across all industry groups. The criminals want to make money on the effort and while healthcare is an obvious target, they will take money from any organization infected. Organizations should take immediate actions to minimize the threat to their environment.
- Implement Patch Updates: Implement and verify the successful implementation of the MS17-010 on ALL Microsoft Operating Systems including servers and end-user workstations. If you have to prioritize, begin with systems accessed from the internet, followed by systems accessing the internet and finally all other systems.
- Send Security Awareness Reminders: Immediately send out reminders to your users reminding them of phishing attacks, suspicious links in emails and to call your help desk if they “think they may have clicked”.
- Run Vulnerability Scans: Scan all systems accessed from the internet immediately to validate patches and configurations are secure. Scan the entire environment as soon as possible.
- Contact RubinBrown's Rob Rudloff, CISSIP-ISSMP, Audrey Katcher CPA, CISA, or David Hendrickson, CISSP, if you have questions.
Long Term Actions:
- Test Patching & Secure Configurations: Review and test the patch update and secure configurations in the environment. Update the processes and technology to ensure patches are implemented in a timely fashion and baseline configurations are as secure.
- Provide Regular Security Awareness Training: Implement an ongoing Security Awareness Training program to reinforce good security practices for users. Use the materials available from the annual Cybersecurity Awareness Month distributed every October – free materials are available for you to use in addition to commercial programs.
- Review for Vulnerabilities Quarterly: Supplement the patching and secure configuration processes with monthly scans for all systems accessed from the internet and the full environment at least quarterly. Ongoing scans validate patch installation and identify areas where additional secure configuration focus is needed.
- Implement Appropriate Backup and Recovery: Implement backup and recovery solutions capable of recovering systems affected by a ransomware attack, so you do not have to consider paying the ransom. It is important you consult on how to make the recovery recoverable and practice the recovery.
- Assess Security Risk Annually: Perform annual security risk assessments to identify potential areas of risk.
Ransomware attacks are capable of generating millions of dollars for the attackers and with new vulnerabilities discovered every day, we must stay vigilant. Even though the current threat appears to have tapered off, they proved the potential of the attack, more are coming. Take steps to protect yourself and your organization now.
If you have questions or need assistance, please feel free to contact your RubinBrown advisor or any of RubinBrown’s Cyber Security professionals, Rob Rudloff, CISSIP-ISSMP, Audrey Katcher CPA, CISA, or David Hendrickson, CISSP.
Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.
All Business Advisory News Cyber Security Advisory Overview