Without doubt one of the biggest news stories of the past week is the WannaCry ransomware attack, that has infected hundreds of thousands of Windows-based computers in 150 countries. The unprecedented attack has already claimed high profile victims including the UK’s National Health Service, French car manufacturer Renault, and delivery company FedEx in the US among many others – affecting critical business processes in each organization to varying degree.
While this is not the first time that ransomware has successfully infiltrated organizations it is certainly the most widespread variant seen to date. And as a result, it has prompted many organizations to urgently look at what they can to do to contain and limit their exposure to this threat.
Track, connect, contain and neutralize
First and foremost, the NSA-discovered vulnerabilities were patched by Microsoft several months ago (shortly after their disclosure on Wikileaks). By now your vulnerability scanners should be able to check which of your servers are vulnerable: so make sure to scan all your windows servers, and formulate a plan to install the latest patches on them.
Additionally, through an integration with the leading vulnerability scanners AlgoSec ties the data from the scanners to business processes that potentially could be impacted by a WannaCry attack. This linking is especially valuable if the processes affected are critical to key business functions – or handle regulated data such as personally-identifiable information. With this critical intelligence, you can prioritize the patching the most business-critical vulnerable servers – ideally at a time when business operations won’t be disrupted – before a ransom attack strikes.
Next, you need to ensure that you’ll be able to detect a ransomware attack early on. Clearly employees will report when their computer lock up, but you probably have technological monitors that can log anomalous behavior (such as intensive file activity) sooner – and these alerts should be forwarded to your SIEM. The Security Operating Center (SOC) staff tracking the SIEM need to be aware – and take swift action if a ransomware attack is detected. Through an integration with SIEM systems, AlgoSec ties the impacted servers to the business processes that rely on them – and also allows SOC operators to quickly isolate or shut down impacted servers, to stop the malware from spreading.
Back to basics
While there’s not much else you can do after you’ve been attacked, there are numerous security best practices that can prevent, or at least greatly reduce, the impact of the next ransomware attack:
The punches keep coming
Lastly, another detrimental side effect of a ransomware attack, which I believe has not yet been fully realized, is its impact on regulatory compliance – something the UK’s NHS needs to be thinking about as it recovers from WannaCry. As I previously noted:
“Ransomware that encrypts personal data could present a serious regulatory compliance problem for organizations. According to guidance from the U.S. Department of Health and Human Services, if patient records are encrypted by ransomware, it is now considered a reportable violation under HIPAA, even if the scrambled data never actually leaves the network. If similar measures start to apply to other regulated sectors too – such as banking, financial services and retail – it would make a successful ransomware attack far costlier in both remediation and compliance violations.”
Ransomware attacks have been around for over a decade, but the sheer scale of WannaCry has made it headline news all over the world. It is finally forcing both security and business people to recognize and take seriously the potential reachability of this type of attack, as well as the enormous damage it can do in terms of costs, business disruption and reputation. And while it’s a small comfort, I think it’s a blessing in disguise. So, dry your eyes, and get to work!
For some additional comments on ransomware, please see these recent posts:
Receive notifications of new posts by email.