WannaCry Ransomware – Small Medium Enterprise(SME) dilemma

PhotoX24-11-16XX11X55X19XAM

By Kandarp shah, Advisor @ Allianz Cloud Pvt Ltd., [email protected]

 A lot has been written and talked about the recent Ransomware attack that has affected around 74 thousand computers across 74 countries. Around all these technical gyan, a SME (small to medium enterprises) often fail to figure out on how to be secure against such attacks. Remember, SME do not have the much talked about high end security solutions or the skilled human resources to manage security within the organization. They tend to focus more on the business side and less on technology and further less on the security.

A targeted ransomware attack targets a specific customer and the adversary has a strong motive behind the attack. (Mostly financial). With the popularity of Bitcoins, such ransomware attacks have become more hacker friendly.

About WannaCry Ransomware

The WanaCrypt0r 2.0 bug encrypts data on a computer within seconds and displays a message asking the user to pay a ransom of $300 in Bitcoins to restore access to the device and the data inside. Alarmingly, the attack also hit the National Health Service of the United Kingdom, stalling surgeries and other critical patient care activity across the British Isles, and making confidential patient information and documents inaccessible.

The attack is NOT identified as a targeted attack.  It appears to be taking advantage of a recently disclosed Microsoft vulnerability (MS17-010 – “Eternalblue”) related to Windows SMB service. This malware do not require manual action to spread. It starts broadcasting itself and exploits SMB Service vulnerability present in the network.

Enough technical information is available on the internet.

Are you a SME (Small Medium Enterprise)?

Unlike BIG enterprises, SME cannot afford and manage high end security solutions (IPS, WAF, NGFW, etc). Under such scenarios it becomes very critical for an SME to counter such attacks. A ransomware attack is typically delivered via an e-mail attachment which could be an executable file, an archive or an image. Once the attachment is opened, the malware is released into the user’s system. Cybercriminals can also plant the malware on websites. When a user visits the site unknowingly, the malware is released into the system.

The infection is not immediately apparent to the user. The malware operates silently in the background until the system or data-locking mechanism is deployed. Then a dialogue box appears that tells the user the data has been locked and demands a ransom to unlock it again.  By then it is too late to save the data through any security measures.

What to do?

  • First thing, isolate the infected machine from the network and disable SMB services running on machines on the network.
  • You may download antimalware scanning tools provided by various antivirus companies.
  • Install Microsoft latest patches, especially related to MS17-010.

IF infected try below tools

https://success.trendmicro.com/solution/1114221-downloading-and-using-the-trend-micro-ransomware-file-decryptor

https://www.nomoreransom.org/decryption-tools.html

Now, how do you ensure that you are always protected by such attacks? Is there a full proof mechanism? The answer is simple No.

A comprehensive security implementation involves high end technology, matured processes and aware people. A SME would find it difficult to manage all of three and hence there would always be window for attack.

Does that mean that we are always vulnerable to such attacks and nothing can be done?

Are we always at ransom to such cyber criminals?  Should we be always ready to pay the ransom?

The answer is NO.

The easiest and the simplest thing to do, is to implement a Strict Backup Solution. BACKUP … BACKUP …. BACKUP …. Always backup your data. That is the best way to secure your critical data. Ensure your backups are offline and if preferable it should be on the cloud.

Trust, even if you have implemented most advanced security solutions, You are still vulnerable to ransomware attack and once you are in situation with your critical data been encrypted with NO backups around, you have no option other than to pay up the ransom.

One of the reasons why it is so difficult to find a single solution is because encryption in itself is not malicious. It is actually a good development and many benign programs use it.

The first crypto-malware used a symmetric-key algorithm, with the same key for encryption and decryption. Corrupted information could usually be deciphered successfully with the assistance of security companies. Over time, cybercriminals began to implement asymmetric cryptography algorithms that use two separate keys — a public one to encrypt files, and a private one, which is needed for decryption.

The CryptoLocker Trojan is one of the most famous pieces of ransomware. It also uses a public-key algorithm. As each computer is infected it connects to the command-and-control server to download the public key. The private key is accessible only to the criminals who wrote the CryptoLocker software. Usually, the victim has no more than 72 hours to pay the ransom before their private key is deleted forever, and it is impossible to decrypt any files without this key.

Categories:

Your e-mail address will not be published.
Required fields are marked*