Looking for protection against Ransomware?
In May 2017, a malicious software or ransomware known as WannaCrypt spread like a worm, affecting companies of all sizes across Europe and Asia. One of the key organisations affected was the NHS, which caused a significant disruption of services in main healthcare facilities. Hospitals were forced to divert emergency cases, operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work.
More than 45,000 attacks have been recorded by security researchers at Kaspersky Lab across 74 countries affecting organisations like FedEx and Telefónica, as well as computers across Russia, India, China, Ukraine and Taiwan, leading to computers and their data being maliciously encrypted, locked up and held for ransom.
What was WannaCrypt?
The WannaCrypt ransomware spreads through Microsoft Windows computers by leveraging vulnerabilities that were first revealed to the public as part of leaked US National Security Agency (NSA) related documents by an anonymous hacking group calling itself “Shadow Brokers”. WannaCrypt ransomware was designed to exploit these vulnerabilities in order to infect computers attached to a corporate network and encrypt their contents, before demanding payments for the key to decrypt files.
Below in the image you can see an example of the WannaCrypt (also known as “WannaCry” or “WanaCrypt0r 2.0”) warning screen asking for $300 worth of the cryptocurrency Bitcoin to unlock the contents of the computers. The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.
How it was spread?
The Ransomware attempts to infect unpatched Windows machines in the local network. At the same time, it also executes large scale network scanning on Internet IP addresses to find and infect other vulnerable computers. Most ransomware is spread hidden within email attachments or share documents, usually leveraging social engineering or email as primary attack vector, relying on unscrupulous users downloading and executing a malicious payload, or through a secondary infection on computers already affected by viruses that offer a back door for further attacks. Once ransomware has encrypted the files there’s not a lot people, cyber security teams or IT departments can do to restore the normal state or get them back online. If there is a full backup of the files the users should be able to restore them after reinstalling or cleaning the computer, but if not, all the files could be gone for good.
How to prevent Ransomware attacks?
Shortly before the Shadow Brokers released their files, Microsoft released a security patch (a software update that fixes the vulnerabilities) for the affected versions of Windows, ensuring that the vulnerability couldn’t be used to spread malware between fully updated versions of its operating system. But for many reasons such as lack of resources, or a desire to fully test new updates before pushing them out more widely, organisations are often slow to install such security updates on a wide scale. Computers that have not installed the security update therefore remained vulnerable.
The NHS, like many other large organisations around the world, likely fell victim to it due to its reliance on old, unsupported software. Many NHS trusts still use Windows XP, a version of Microsoft’s operating system that has not received publicly available security updates for half a decade, and even those which are running on newer operating systems are often sporadically maintained. For an attack which relies on using a security vulnerability fixed less than three months ago, just a slight oversight can bring catastrophic consequences
Using Microsoft Azure cloud capabilities to prevent future Ransomware attacks
Microsoft anti-malware telemetry immediately picked up signs of this campaign after the NSA leaking and the first attacks were known. Microsoft expert systems provided visibility and context into this new attack as it happened, allowing Windows Defender Antivirus to deliver real-time defence. Through automated analysis, machine learning, and predictive modelling, they were able to rapidly protect against this malware. While security updates are automatically applied in most computers, unfortunately some corporate and enterprise organisations may delay deployment of patches due to their own internal processes.
Protection against future Ransomware attacks
The conclusions after this massive cybercrime is that more investment is needed to stop systems being vulnerable to future attacks, because the costs of outages, disrupted services and operations are higher than the investments in cybersecurity. Companies and organisations need to start to invest in proper cloud-based systems which can lock down every computer that connects into the main network. It is imperative that critical industries like healthcare, transport, energy and communications all need to ensure that their vital IT infrastructure components need be as robust as possible to prevent or mitigate against such damaging attacks, similar to how industries such as finance sector typically approach infrastructure security for their sensitive IT platforms.
We know there are plenty of companies and organisations that simply don't have enough IT staff or take cyber risk seriously enough, and for these cases, the best alternative is to rely on is cost-effective cloud providers and IT consultancy companies to deploy best practices about security and disaster recovery by default, natively available on the platform. As well as keeping antivirus, firewall, application and OS software up-to-date, backing up key data regularly to offline backup storage or to the Cloud should be a top priority, because data breaches and cyber-attacks such as WannaCrypt are an inevitable threat. Using an enterprise ready public Cloud platform like Microsoft Azure will ensure built in capabilities to constantly monitor your network (for instance using Azure Operations Management Suite - OMS) for unusual behaviour and only giving access to certain data and applications to those who absolutely need it. Now that hackers seem to be finding weak points in the perimeter defences with increasing ease - largely due to the proliferation of wireless/mobile devices accessing the network at home and in the office - focus has moved towards defending critical parts within the network, commonly known as Micro-Segmentation with tools like Azure Enterprise Mobility Suite (EMS).
Tools like Azure OMS includes a Global knowledgebase where management solutions in OMS continuously have access to the latest security information. The OMS Security and Audit solution for example, can perform a threat analysis using the latest threats being detected around the world, most importantly in an automated manner.
While there is no fool-proof way of protecting against every single Ransomware attack possible for enterprises, some additional recommended actions/workarounds you can take to prevent future malware attacks would typically include:
- Upgrading to Windows 10, to get the latest protection from Microsoft.
- Keeping your computers up-to-date, giving you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.
- Using Monitoring Tools in the Cloud like Azure Operations Management Suite – OMS to monitor resources in the cloud or on-premises.
- Using Mobility + Security tools to protect data, secure devices and apps like Azure Enterprise Mobility Suite.
- Using Azure Backup and Azure Site Recovery to leverage the cloud for backup and high availability for on-premise resources.
- Using Windows Defender Antivirus which uses cloud-based protection, helping to protect you from the latest threats automatically
- For enterprises, use Device Guard to lock down devices and provide kernel-level virtualisation-based security, allowing only trusted applications to run, effectively preventing malware from running.
- Using Office 365 Advanced Threat Protection, which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.
- Advanced threat protection (ATP) in Exchange Online Protection (EOP) helps you prevent zero-day malware attacks in your email environment.
- If you already use EOP to help combat malware in your email messaging environment, adding ATP will provide more-effective protection than ever before against attacks propagated by unsafe links and unsafe attachments.
- Monitor networks with Windows Defender Advanced Threat Protection, which alerts security operations teams about suspicious activities.
- Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: Windows Defender Advanced Threat Protection - Ransomware response playbook.