How do I prevent WannaCry ransomware?

Dear Valued Client,

Before we begin, if at any point while reading the message below, you need assistance or are just not sure, call 877-662-6624 or contact us by email and let us know so we may assist you. If you are one of our Patchworx clients or that rare organization that is covered through other effective measures, we sincerely congratulate you for your efforts to protect your company.

Whether you request our assistance or do the work of protecting yourself, not acting could be a very costly choice.

Critical news:

As you have likely heard in the national news, networks all over the world (in more than 150 countries) have been infected by WannaCryp Ransomware also known as WannaCry since Friday 5/12/2017…in fact it is estimated that 100s of thousands of computers are already infected and potentially million more will soon be. So, before we move into the details of why this matters, please DO NOT OPEN any attachments, click on links in emails from unknown senders, bring in un-scanned USB drives or otherwise invite an infection into your network.

 

What does ransomware do?

There are different types of ransomware but, all of them will prevent you from using your PC or server normally. They will then ask you to do something such as pay money before you can access your systems and data. Not all but most make getting data back impossible without paying the ransom (which we do not generally recommend) or restoring from back-up. Ransomware can target any PC user, whether it’s a home computer, enterprise network device, or servers used by a government agency.

Ransomware can:

·         Prevent you from accessing systems

·         Lock or rename files making them unusable

·         Encrypt files so you can't use them (ever)

·         Stop certain apps from running (like your web browser or AV software)

In most cases, Ransomware will demand that you pay money (a “ransom”) to get access to your PC or server based files. Beware because, there is no guarantee that paying the fine or doing whatever the ransomware tells you will actually work. In fact, in many cases they will simply demand more or wait to infect your systems at a later date. If you have no back-up and there are no fixes for that software, paying may be your only option. Do not act rashly. Messing with the software or trying to fix it yourself can make matters much worse.

The currently spreading ransomware, WannaCry operates by leveraging Windows vulnerabilities that were released when a cache of mysterious (likely NSA) hacking tools were leaked. The hacking tools, include a major exploit codenamed EternalBlue. This tool greatly simplifies the hijacking of older (unsupported) or unpatched Windows machines. The Server Message Block (SMB) protocol which is used in Windows for file-sharing is the targeted functionality that makes the hack work. Microsoft has patched the vulnerability, including in a highly unusual move, of adding older unsupported operating systems such as Windows 2003 Server and WinXP.

What should you do?

 1.      Immediately verify that your systems are being backed-up using a system that does snapshots such as DRworx

2.      Immediately verify that your systems are current and up-to-date with the latest patches

3.      If you are not already using a mail service that scans files before they enter your network, consider doing so as soon as possible

4.      Be sure that your systems are all using up-to-date enterprise anti-virus/malware prevention software

5.      Remove administrative rights from all users/devices and do not use admin accounts unless needed for an IT need

Manual remediation or automatic Windows updates?

A manual approach involves someone logging into every single machine, running Windows updates, installing critical security patches, rebooting and then doing that all over again and again... This is incredibly time consuming and will only cover Microsoft based vulnerabilities. For more on patching best practices, we provide advice here.

Turning on Windows updates will automatically install patches based on a set schedule but will also expose you to untested patches that may break applications or features and cause any number of issues. Windows update can be enabled via group policy but a process needs to be in place to validate that these settings are applied and working properly. There is no way to report on this for compliance.

A managed process for distributing patches is the best way to go. Alvaka can help you with this process, if you contact us.

Discover vulnerability through network based scans:

A vulnerability scan can be done in a couple of different ways but any network based scan is dependent systems being configured correctly and working in order to get accurate results. Computers have to be turned on and connected to the network being scanned. This also means that any machine not physically on the network (remote users, laptops left at home) as the scan occurs will be missed.

Server and PC based firewalls need to be turned off or have policies allowing the scan to communicate directly using Windows sharing ports. Group policies can be configured to enable/disable or open up firewall ports but this is not a fail safe way as group policies do not always apply properly or in a timely manner. Once the scans are done a report is generated and manual patch deployments can be done on a machine-by-machine basis.

Note: A network based scan will never be as accurate as a resident agent based vulnerability scan.

If you need help with this, contact Alvaka Networks ASAP.

 

Alvaka's Patchworx service:

Alvaka uses a resident agent based vulnerability analysis tool that not only scans for MS vulnerabilities but over 30 other common business applications and utilities. This scan happens locally on each endpoint ensuring the highest level of accuracy and allows for immediate remediation by installing the required patches from our NOC (Network Operations Center) based on a set schedule or approved maintenance windows. Machines are then scanned on a daily basis for new vulnerabilities or configuration changes that may undo a fix that was implemented by a patch rendering the machine vulnerable again.

Patchworx is the best and most secure way to handle patch management.

So, if you are a current client and have questions, or you are a new client who hopes to have assurances that you will not be the next IT Hostage, contact Alvaka Networks. We are here and prepared to help.