Defending against self-propagating ransomware
The initial attack stopped spreading when a network security worker registered the internet domain for a URL that the malicious software was requesting to test whether it was running in a controlled research environment.
The attackers are expected to make further efforts to exploit unprotected systems before repair work can be completed, before computers can be updated, or before network defences can be prepared.
This ransomware is based on operating system software exploits discovered by the NSA. Users of old & unsupported, or unpatched installations of Microsoft Windows; may be particularly vulnerable.
Prioritised defensive measures — ten steps (example: WannaCrypt 2017)
- Block outside access to Ports 138, 139, 445 — also, temporarily monitor/restrict internal access to these ports, especially to/from potentially vulnerable machines. Disable version 1 of the Server Message Block protocol.
- Identify potentially vulnerable infrastructure. Computers running the latest version of Windows with up-to-date security patches should not be affected. Unpatched or unsupported operating systems need special attention.
- Disconnect affected machines from the network.
- If files are encrypted and ransomware is already demanding payment, attempt to bypass payment and decrypt your files, before powering down the machine.
- On potentially infected machines exhibiting signs of ususual disc activity, where the malicious software might not have completed encrypting files; power the machine down immediately: then, connect internal storage media (e.g. hard disc drives) to an unaffected host computer or operating-system installation, and back up all essential files.
- Consider configuring perimeter firewalls/ DNS servers to spoof a response (e.g. soft 404) to outbound HTTP requests to unregistered internet domains (to fool malware into thinking it is running in an analytical sandbox).
- Consider isolating potentially affected, or outdated, machines by locating them on a VLAN (Virtual LAN). Separate network address-spaces, or air-gap physical networks, where required.
- For applications where more-frequent small-scale security breaches are much less disruptive than less-frequent large-scale service interruptions, consider diversifying use of operating systems software: mixed use of Windows and Linux/ MacOS; might give attackers more potential points of entry (by increasing the attack surface), whilst decreasing the severity of most service interruptions. For security and financial efficiency (software volume licensing) reasons, operating systems might be differentiated across application boundaries.
- Update potentially vulnerable operating systems with the latest security patches. Start with computers NOT exhibiting symptoms of infection. (On this occasion, Microsoft has released patches for some old operating systems.)
- Replace unsupported operating systems. Activate automatic updates, review update deployment policies. Procure or develop application software that is built to standards that work across operating-systems (including future versions).
- Establish a schedule for making regular cold backups of all recently created or recently modified files. Keep several backups, rotate backup storage media, and keep cold backups offline. Backup machines might use a different OS.
- Monitor file backup status, installed operating system versions, unusual storage access patterns, and network traffic including domains, URLs and network ports (particularly at boundaries). Monitor trends & distributions of activity.
- Regularly review open internet-facing network ports, and close all network ports that are not required. Establish multiple security perimeters, and design for defence-in-depth. Create honeypots and alarms.
To protect against malicious software propagated via email attachments or Web links, consider maintaining a database of outbound email destinations, and stripping attachments and links from inbound emails not originating from an address in this database. Continually educate, remind, and train system users to be wary of security threats including "social engineering" attacks.