What is it?
WannaCry is a form of malicious software (malware) known as ransomware. Like other ransomware, WannaCry encrypts (i.e., locks up) data files on computers and demands the victim pay a ransom to receive the decryption key (to unlock the data) from the attackers. Without the decryption key, the files will remain inaccessible.
How does one become infected?
Typically, the infection method has been via a spear phishing attack (i.e., an email that appears to come from a trusted source but is actually spoofed/faked and contains malware). The ransomware is now spreading via several methods including self-propagation to vulnerable machines on external and internal networks.
What should you do as a preventive measure?
To protect your network from WannaCry ransomware you should verify that the Microsoft security patch for *Microsoft Security Bulletin MS17-010, which fixes a vulnerability in the Microsoft Simple Message Block 1.0 (SMBv1) server, is applied to all internal and external machines. A patch for this vulnerability was released on March 14, 2017, so if your patch management program is sound, your network should be protected.
- Enable strong spam filters to prevent phishing e-mails and authenticate in-bound e-mail.
- Scan all incoming and outgoing e-mails to detect threats.
- Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
- Manage the use of privileged accounts.
- Develop, institute and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
What should you do if you’re hit?
If you have become infected with WannaCry, you should immediately notify your tech support/incident response team so they can assess and contain the infection, verify all systems on the network are patched, and recover the affected files from the most recent, hopefully uninfected, backup. Contact law enforcement. We strongly encourage you to contact a local FBI field office upon discovery to report an intrusion and request assistance.
What are my options if infected?
There are four options:
- Ideally, one restores from an uninfected backup, as noted above.
- Contact a qualified IT team to assist you with review of your system(s).
- Lose your data.
- Pay the ransom. While not the preferred option, this will depend on your individual situation, the assessment of what data could be lost, and will be your call to make.
Going forward, how should we protect our organization from such attacks?
Ask the following seven questions of your tech support/incident response team:
- Do we have an adequate patch management program that covers both Microsoft patches as well as third-party patches (e.g., Adobe, Java) AND deploys these patches shortly after they are released?
- Have we completed a true Cybersecurity Risk Assessment (not just the FFIEC CAT which is a maturity model not a true risk assessment) to know what threats are present and how we are mitigating such risk?
- Does our current IT audit program include cybersecurity testing from a qualified and independent firm?
- Does such cybersecurity testing include penetration testing, internal and external vulnerability scanning, social engineering testing, backup verification, patch management testing, and other applicable procedures designed to assess our susceptibility to such attacks?
- Do we have 24/7 security monitoring of our network so that malicious traffic emanating from inside our network is detected?
- Have we included an incident such as this as a scenario in our Business Continuity and Incident Response tabletop testing?
- Are we providing adequate training and testing throughout our organization, from the front line to the board room?
- Ensure anti-virus software is up-to-date.
- Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Back-up copies of sensitive data should not be readily accessible from local networks and should be stored with a secure site or provider.
- Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
- Only download software -especially free software-from sites you know and trust.
- Enable automated patches for your operating system and Web browser.
For more information check out the U.S. Government interagency technical guidance document at this link.
Lastly, here is a link to a Microsoft resource with more technical information on this threat.