The No Tears Formula…

By Damon Tompkins

Even people who know better fall prey to cyber attacks.

After all, it wasn’t a bunch of Facebook junkies or six-year-olds who clicked on the e-mail links that launched WannaCry (also known as WannaDecryptor) ransomware attacks that infected computers in as many as 150 countries last Friday.

Instead professionals in the workplaces of the world were caught off guard giving life to worms that crawled the networks of hospitals in Great Britain, Russia’s Interior Ministry, a university computer lab in Italy, France’s carmaker Renault, Portugal’s Telecom among many, many others, and locked them down until Bitcoin was exchanged for decryption keys, Windows patches were installed, or a fix was found.

Changing User Behavior Will Not Solve the Problem

Workers were not the root of this problem and changing their behavior is not the solution. After all, out of the many, many workers who got the malicious e-mails, only a few had to click on the links to cause the spread of malware among hundreds of thousands of endpoints.

The antidote to the problem lies in tools that enforce least privilege policy. More on this later.

The hackers, in this case, probably leveraged a spray and prey approach, not necessarily going after anyone in particular. Once a user clicked on the malicious link, Wanna Decryptor encrypted user files, using AES and RSA encryption ciphers, enabling them to precisely decrypt system files via a unique decryption key. Attacked victims were then sent alerts like the Please Read Me!.txt file which provides a way to contact the cyber criminal.

In last week’s attack, some victims were made aware of the hack when the wallpaper on their computer abruptly changed asking the victim to download a decryptor from Dropbox. The decryptor then demanded hundreds in Bitcoin to be activated.

And while some of the affected in places like Russia’s interior ministry, Spain’s utility provider Gas Natural and even customers of a railway ticket machine in Germany were inconvenienced, albeit in a big way, the attack on the National Health Service (NHS) in England and Scotland caused the cancellation of operations, like heart surgery, because patient records could not be accessed.

Temporary Relief is Not a Solution

CEOs and CIOs worldwide breathed a sigh of relief when Microsoft stepped up and issued a patch (MS17-010) right after the attack, given that the affected computers were running outdated software like Windows XP or Windows Server 2003 which the company is no longer obligated to support. Still, more respite was found Saturday when a British malware researcher, who wishes to be identified only by the name MalawareTech, further slowed the attack by registering a domain name he discovered in the ransomware’s code.

Even so, as of last night, two variants have appeared and there’s little question that there are still more to come. Criminals aren’t likely to stop creating ransomware anytime soon.

Privileged Account Management Keeps Ransomware Out

That being said, there are things that can be done around prevention, detection and mitigating risk. Consider something like Thycotic’s Privilege Manger for Windows, it takes away local admin rights and blocks installation unless the “application” is whitelisted, which WannaCry or WannaDecryptor would not be.

Want to know more? Find free security resources here and get started with a free enterprise password management trial today.

Source:: Thycotic