By Alexander Speaks
DevOps Engineer, RADAR, Inc.
(Photo Credit: Shawn Linehan)
Ransomware is a frightening and growing global threat. Last month, the largest known string of ransomware attacks hit globally, impacting dozens of countries around the world and disrupting systems critical to hospitals, telecommunications, and corporations. More than ever, now is a good time to evaluate and shore up current network security measures.
The ransomware variant known as WannaCry exploits a flaw in Microsoft software that was described in leaked NSA files and is reported to be the work of an unidentified organization known as the Shadow Brokers. The ransomware is spread through a phishing attack, which involves tricking email recipients into installing malicious software that encrypts the system causing the user to lose access to their documents. The user is then prompted to pay a ransom in order to have their system restored. As a result of these attacks, UK hospitals reported closures of entire wards and had to turn away patients, FedEx reported interference in a statement to NBC News, and telecommunications giant Telefonica was confirmed to be a victim of this attack.
Avoiding the WannaCry Attack or Other Similar Spear Phishing Attacks
First, make sure your software products are up to date with the most recent patches at all times. Here is a link to the critical patch for the WannaCry exploit. An aggressive patching schedule can be mildly disruptive if a patch adversely impacts organizational productivity but such interruptions are minor compared to an attack by a malicious entity.
Here are measures a system administrator should take to protect against attacks such as these, and as general best practices for strong security posture:
- Implement an aggressive patching schedule for all software.
- Regularly take full snapshots of your data and store them offline. If your data is ransomed you will at least be able to go back to a pre-infection copy instead of starting from scratch.
- Practice the principle of least privilege with user account access. An infected user can only damage files his or her computer can reach.
- Be very aggressive with your email monitoring. Do not accept mail from blacklisted servers, or servers not conforming to best practices.
- Regularly educate and test users to make sure they are on guard.
Detecting Phishing Attacks
Detecting phishing attacks is matter of educating your employees and continued trainings to reinforce good habits. Teach them to recognize the signs of a fraudulent email. This article from the U.S. Securities and Exchange Commission has a list of what to look for and protective measures you can take when something looks “Phishy.” Additionally, it is critical to ensure protections are applied universally by everyone at your organization—one weak link (or one employee who missed training on phishing attacks and didn’t notice a critical software update) leaves vulnerability in your armor.
Compliance in the Event of a Ransomware Attack
Should you find yourself a victim of a ransomware attack, the HHS Office for Civil Rights (OCR) updated its guidance on ransomware last year to directly address the question of whether a ransomware incident is a reportable breach. Is notification required? The new guidance makes it clear that notification may be required, even in the case where protected health information (PHI) is encrypted. More information on that and compliance can be found here.