[Cathie Brown is Impact Makers’ VP of Governance, Risk, & Compliance, and the former Deputy Chief Information Security Officer of Virginia]
As reported by multiple news outlets, a massive ransomware attack launched on June 27 affected businesses around the globe. This attack shared many of the similarities as the Wannacry attack in May in that it leveraged the same exploits that were made available from the release of multiple NSA tools by a group known as Shadowbrokers. This vulnerability was patched by Microsoft as bulletin MS17-010 in March for supported operating systems. Due to the elevated risk Microsoft also made the decision to release a security update to end-of-support operating systems such as Windows XP, Windows 8, and Windows Server 2003 in May. This new attack spreads a variant of ransomware known as Petya.
Once a machine becomes infected, the ransomware has the ability to harvest credentials on the infected machine and attempt to spread across windows networking ports using tools such as Windows Management Instrumentation (WMI), which is built directly into Windows itself. It also bundles an administrator tool known as PSExec as a method to spread. These additional mechanisms to spread have the potential to affect a larger population as even patched systems could become infected.
Businesses can protect themselves by following these best practices:
- Ensure all Windows systems are patched and are receiving up to date antivirus signatures.
- Back up your critical data to off network media. Paying the ransom is not recommended and in this case will not get your data back as the email address of the attackers has been disabled by the internet service provider.
- Use unique passwords for all administrative accounts. Many companies use the same password for the local administrator account on systems. This will allow a single infected machine to move laterally across your network through that shared password. Investigate implementing Microsoft LAPS to help manage these passwords.
- Users should only be granted administrative privileges if their job role requires it. In these cases users should have two accounts, one for normal day to day work and a second account with administrative privileges that is used only when expressly needed to perform a specific job function.
Do not click on links in email or open email attachments unless you are confident in its source.
These best practices are an important part of maturing and maintaining a strong security posture.
See Cathie’s article in Route Fifty challenging States on security posture.