I saw a humorous tweet today that said something to the effect that the number of blog posts about the recent “WannaCry” ransomware attack have now exceeded the number of infected machines. I am loathe to add truth to that saying, but I, of course, have something to say about it, so here we go…
There’s a couple of observations I’d like to make about WannaCry and then provide a summary of the technical details related to combatting this malware. First, I was frankly surprised to see such a low “body count” of infected machines in the aftermath of this malware. The last number I saw was something like 200,000 infected machines–across over 1 billion Windows systems worldwide. For sure, much of this can be credited to the efforts of one security researcher who inadvertently triggered a ‘kill switch’ in the malware to stop it’s spread. Perhaps at least some of the limited damage comes on the back of more awareness around security in general and ransomware in particular, though I don’t put too much stock in this.
I was also interested to note that there was much hand-wringing about the fact that so many folks hadn’t patched their Windows systems to prevent the spread of WannaCry (never mind the insane number of Windows XP/2003 systems still out there-which forced Microsoft to back port their patch to these systems). Remember that Microsoft patched a vulnerability in the SMB v.1 protocol back in March, that was subsequently exploited by WannaCry’s authors to help spread the ransomware across the Internet and within organization’s networks. It doesn’t surprise me at all that many folks hadn’t yet applied that patch. I worked for nearly 30 years in enterprise IT environments. I know that many organizations are very careful about applying patches to production systems, because the track record for patches causing outages and line-of-business failures is long and storied. So the fact that two months went by and a significant chunk of the population had not yet applied MS17-010 did not surprise me. I think the most surprising part about this outbreak was the fact that the malware authors are evolving their attack patterns to find more creative ways of moving laterally within and across environments with increasing speed. Today it was SMB1, tomorrow it will be some other vulnerability, zero-day or otherwise, which is exploited to infect an entire organization’s network. It was in early March that I blogged about Group Policy itself being used as a malware delivery vehicle for another ransomware attack. The biggest takeaway for me from this event is that we need to do more on two fronts:
- Organizations need to do more to stop malware at the point of infection (i.e. when the user clicks on that malware email to start the initial infection). This is easier said that done and there are multi-million dollar industries that have spawned trying to solve this problem. The problem of course, relates to the age-old techie acronym: PEBCAK, or “Problem Exists Between Chair And Keyboard”. That is, the problem is the user. The user is the first and last line of defense. We can deploy all sorts of fancy anti-malware solutions, but if the user does something unexpected, and the malware author is smarter than the anti-malware, we have failed. Here, I have seen a lot of benefit in relentless user education. Anti-phishing campaigns run by organizations to continuously make users aware of the common tactics of phishers actually do work, and I encourage every organization, no matter the size, to engage in these programs. Obviously there is the potential for the “boy who cried wolf” effect if you do these too often, but occasionally reminding users of the dangerous world in which they operate is super useful for shielding yourself from these kinds of events.
- The second point is one that has been made time and again over the last few years–that the “perimeter network” of a given organization is no longer the perimeter, and that every host and device on an internal network is the perimeter, and should be treated as such. Hardening each and every system with security configuration, patches and firewalls (physical or logical) is the imperative, rather than the optional. Privileged access should be doled out with the stinginess of Scrooge, and systems that cannot be impacted in your business should require multiple levels of logical and physical access. For sure, vulnerabilities in software will exist–it’s just the nature of the increasingly complex world we live in. But we can and should take steps to make it much, much harder for the bad guys to find their way into and across our networks. And this means that every IT person out there must also be a security expert, regardless of what else you do. I can’t underscore this enough–most IT folks I come across have only a vague notion of security concepts and that has to change!
Ok, off the soapbox…
If you are still grappling with WannaCry and it’s effects, I’ve recently tweeted or re-tweeted several useful resources for protecting yourself from the SMB v1 issues that this malware exploited. Here are those articles:
- “Disable SMB1 in Managed Environments with Group Policy“: https://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/
- “How to Enable and Disable SMBv1, v2 and v3 in Windows and Windows Server Environments“: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows-server
- Cool PowerShell Script to test for SMBv1: https://www.powershellgallery.com/packages/Test-WannaCryVulnerability/2.2/DisplayScript
I hope everyone out there avoided the worst of this. Stay safe!
Darren