The WannaCry ransomware has literally taken the world as a hostage. The virus has hit at least 150 countries and claimed 200,000 victims, according to the European Union’s law enforcement agency Europol. Hospitals, universities, manufacturers and government agencies in the U.K., China, Russia, Germany and Spain have all been affected.
Here are few basic measures that can be put into place to safeguard your IT Assets against such attacks.
Corporate Level Security Changes
- Block SMB port access and RDP (Remote Desktop Protocol) to all computers from the internet. Port 445 and 139 for SMB and 3389 for RDP should be blocked.
- Block SMB (SMB1, SMB2, SMB3) for the time being within the company through a group policy or other endpoint security solution.
- Stop granting any privilege escalation requests to users who want to run an unknown program as an administrator.
- Ensure all windows OS and Microsoft software are patched especially the MS17-010. Any unsupported or outdated operating systems should either be upgraded or re-configured to stop SMB and RDP.
- Issue a notice to all employees to not open unknown attachments and emails and if in doubt read emails on their mobile devices without opening the attachments.
- Disable office macros through a group policy. What should be done if you are not a victim of this ransomware?
- Make sure all backup solutions are safe guarded. Encourage users to backup their data immediately on a removable and encrypted hard drive and keep it in a safe place and not connected to the computer. No IT administrator or employees should have backup drives mapped to their computers with write access. Only the backup software should have a unique user account with write access to the backup media and users should only have read access to backup media.
- Make sure each endpoint and server has latest version of a reputable endpoint security solution with latest definition updates.
- Enable scanning of all attachments at your endpoints and email gateways.
- Disable uPNP on all your gateways, firewalls, routers and proxy servers.
Employee Education & Instructions
- Disconnect from the internet and take a backup of all your data on a removable hard drive. Disconnect the hard drive and keep it at a secure location after the backup is completed.
- Do not open attachments from unknown sources and do not download or open unauthorized software.
- Do not check your personal email on company computer as most free email services will not have advanced security scanning of attachments.
- If you suspect any unusual hard drive activity on your computer, immediately shut it down and notify your IT administrator.
- Do not enable macros on office documents and watch out for warnings and alerts such as these.
IT Administrators – Security Changes
- Disconnect all network shares from idle computers and servers.
- Recheck network shares with write permissions.
- Change passwords of and safeguard all common domain administrator accounts and refrain from logging in using these accounts. Use these accounts to only authorize specific actions as per standard operating procedures.
- Make sure backup solutions provide write access to only accounts that are hard configured in the backup solution.
- User accounts should only have read access.
- Enable volume shadow copy if possible through group policy and enforce it.
- Update the endpoint security solution and enable anti-malware or anti-ransomware modules.
- Prevent privilege escalation of unknown programs and processes.
- Create a manual signature on your endpoint security solution and monitor for file hashes and extensions specific in this advisory. In case of any such findings on a user computer, disconnect it from the network and shut it down.
- Call for the incident response team to deal with the situation and plan for a procedural approach before applying an unverified solution from the internet.
These are simple, basic measures to bolster your defences against Wanna Cry and other such ransomware. Some of the network settings and tips mentioned in this article may not be applicable to your IT Infrastructure or may have to be carried out in a different way based on network and security policies. Kindly ensure that these are executed by qualified network and security administrators of your enterprise who can execute them based on the network and security policies of your company.