By RJ Gazarek
The massive ransomware infection that spread across computers in over 99 countries on Friday and crippled hospitals and businesses, demonstrated how devastating a cyber attack can be on a global level.
The timing of this ransomware attack is no coincidence, as many European organizations were wrapping up their day, only to find out that they suddenly have an entire weekend (or more) of work dropped onto their lap. The scariest part of this are the hospitals in England that have had to suspend non-urgent care. Their urgent care systems were probably impacted as well.
This ransomware looks to be a version of the WannaCry ransomware that first encrypts all of the data on the infected machine and then looks to quickly jump to other machines on the internal network using a vulnerability in windows systems. This highlights the importance of ensuring that endpoints are up to date with the latest software security patch. If the initial reports are true, this vulnerability may be related to Microsoft Security Bulleting MS17-010 (critical bulletin). This update was published on March 14, and Microsoft’s overview of the bulletin is as such: “This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.”
Once that bulletin was released, it’s safe to assume that people began attempting to create a version of WannaCry that would leverage that vulnerability in unpatched systems, to remotely execute this code, and begin encrypting computer systems. With the number of systems affected, this seems like a pretty well coordinated attack and massively distributed.
In any event, regardless of how or when, it’s important that organizations around the world take steps to secure their infrastructures:
1) Always have your systems updated with the latest patches.
2) Deploy an application control solution that can detect and prevent unknown applications, processes, and scripts from executing on the endpoint.
3) Backup everything so that you can revert to it in the event of lost data.
4) Institute a Disaster Recovery plan (and TEST this plan! Run a Recovery Drill) that can get your organization back online as fast as possible in the event of not only Natural Disasters but also man-made disasters, such as Ransomware.
5) Protect privileged accounts and administrative passwords so that attackers cannot bypass your security controls.
Want to learn more about securing your enterprise privileged passwords faster and easier? Get started with a free Thycotic Secret Server trial.