By Steven Malone,
Director of Security Product Management at Mimecast
The global reach and considerable
impact of the WannaCrypt (WannaCry/Wcry) ransomware is a wake-up call for
organizations and governments around the world. This on-going cyber threat will
continue to adapt to take advantage of weaknesses in IT systems and procedures.
New variants of this malware may cause even more damage if you do not act
immediately.
At Mimecast our first priority is to
help protect our customers against the latest threats. Our services help
protect email which has traditionally been the primary attack route for
ransomware.
Early samples have revealed that the
ransomware is spread over local networks and the internet by abusing Server
Message Block (SMB) protocol weaknesses. Although no Wcry ‘smoking gun’
infection emails have yet been found, it is highly likely that future variants
will use email.
This short guide is designed to help
all organizations complete a review of network security, backup and business
continuity systems and processes.
We are also providing additional
insights into how to make easy and quick configuration changes to ensure your
Targeted Threat Protection solution is optimized. As many of you already know,
a comprehensive “defense in depth” strategy is the best approach to mitigation
of current and future variants of Wcry and other ransomware.
Patching
Every organization must ensure its
IT systems are regularly updated. Microsoft security updates are released on
the second Tuesday of each month (Patch Tuesday).
Microsoft released a security update
back in March which addresses the vulnerability that Wcry is exploiting. For
those organizations who have not yet applied the security update, you should
immediately deploy Microsoft Security Bulletin MS17-010.
If you are using a legacy, now
unsupported version of Windows, you should consider upgrading immediately.
However, if this is impossible in the short term, Microsoft
has taken the unusual measure of releasing a security patch that can
buy you time to upgrade.
Microsoft has provided its own detailed
guidance to defend against Wcry here.
Network hardening
Good security practice dictates
removing or disabling unnecessary services to reduce the potential attack
surface.
WannaCry has spread quickly by
abusing vulnerabilities in Server Message Block network protocol.
Unless you have a very good reason
not to, disable
the SMBv1 protocol on your network, while also ensuring SMB cannot be
directly accessed from the internet.
Disable or block other legacy
protocols on your network that you are not using.
Email security: Mimecast’s
Ransomware Defense
For customers of Mimecast
Targeted Threat Protection, we advise a number of activities:
URL Protect - configure a policy in
line with our best
practice guide in Mimecaster Central. Ensure a policy is applied
to all users. Rewriting all URLs to scan for unsafe content at time-of-click is
the best approach to preventing inbound URL-based phishing.
Attachment Protect – configure the
“Safe Files” option for all users to ensure inbound Microsoft Office files are
converted to a safe and benign format. For users who require editable
documents, ensure Attachment Protect’s sandboxing is configured. Refer to
the best practice
guide in Mimecaster Central for details.
Internal Email Protect – this
service provides protection for URLs and attachments in both outbound email and
also mails sent internally. Ensure policies are applied to all users and
ensure remediation capabilities are enabled. Refer to our best practice guide for
configuration recommendations.
Mimecast customers using Mimecast’s
secure email gateway, we advise using the most up to date attachment management definition as
there are reports of executable files masquerading as Excel files with an
administrator hold on dangerous files types. This in conjunction with the Suspected Malware policy
with the ability to hold Office files containing macros provides another layer
of detection, but does not provide the analysis provided by Attachment Protect.
Mimecast’s ARMed SMTP (Advanced
Reputation Management) combines malware, reputation and anti-spam checks to
reject unwanted email.
Since a very high percentage of
ransomware is spread by email attachments, we urge organizations to consider
using sandboxing and/or safe file conversion services.
DNS authentication capabilities such
as DKIM and SPF can
help stop attackers from spoofing or hijacking the email domains of trusted
senders, thus effectively taking away one method attackers use to fool their
intended victims. DMARC,
the combination of these two services adds an extra layer of defense.
To learn more about Mimecast’s DMARC
implementation and DNS Authentication policies please check out this document in
Mimecaster Central community.
Data backups and business
continuity
Preventive measures alone can’t keep
up with the fast-evolving nature of ransomware attacks and as this attack
highlights, there are many ways for an infection to enter an organization.
It’s vital you regularly backup
critical data and ensure that ransomware cannot spread to backup files.
Ransomware can take time to encrypt large volumes of files, particularly across
a network share. It is imperative to ensure your back-up window is long enough
to go back before any infection begins.
Backup & recovery measures only
work after an attack, and cost organizations in downtime and IT resources
dealing with the attack and aftermath.
Organizations must be able to
continue to operate during the infection period and recover quickly once the
infection has been removed.
Should firms ever pay a ransom?
We advise organizations never to
succumb to the pressure to pay the ransom to regain access to their
applications and data.
There is no guarantee this will
unlock files and further motivates and finances attackers to expand their
ransomware campaigns.