Unless you’ve just returned from a 10-day interplanetary space mission, you’ve heard about the weaponization of ransomware into a Weapon of Mass Effect (WME) starting last Friday, May 12th. Organizations worldwide are in chaos trying to protect their systems while remaining operational. It seems that a group called the Shadow Brokers stole and released a suite of Equation Group attack tools purportedly designed by an in-house hacking team for NSA. In these tools was a malware called DoublePulsar designed to exploit older versions of Windows. The Shadow Brokers are believed to be tied to the North Korean government.
While Microsoft prioritized the development of patches for vulnerabilities targeted by DoublePulsar (perhaps having been tipped off by NSA), many organizations apparently did not install them leaving machines still running Windows XP, Windows Vista, or Windows Server 2003 susceptible to an attack. Now those organizations are scrambling to find and implement those patches.
What follows are short game and long game prescriptions. Yes, we need to ultimately establish, implement and mature an information risk management program. AND, yes, we must deal with the day-to-day discovery of new threats and vulnerabilities.
Short Game Plan for #WannaStopCrying:
- Don’t Block the Domain: By registering the malware’s unregistered domain name, a British security researcher unknowingly led all new infections of the ransomware to kill themselves. So at this point, Britain’s National Cyber Security Center (NCSC) recommends not to block that domain as it is to be used to resolve at the point of compromise.
- Patch Systems – Install MS17-010 issued by Microsoft in March; install Microsoft’s “one-off security fixes for operating systems no longer supported: Windows XP, Windows Server 2003 and Windows8 and/or other guidance issued by Microsoft.
- Until the security patch is applied, disable the Server Message Block v1 (SMB) on all computers.
- Upgrade all computers to Windows 10 along with the Windows Defender Antivirus which can detect this malware.
- Maintain daily or more frequent offline / offiste backups of critical data, including application, databases, mail systems and users files. Test backups regularly for data restoration.
- Keep informed by accessing:
- Ensure antivirus signatures are up to date as vendors are working to deliver updated signatures to detect/prevent a reoccurence.
- Retrain employees and other workforce members on social engineering, phishing and spoofing methods and ramifications. Test the results frequently.
- Check on this process with your Business Associates. Require attestations of the steps they have undertaken to protect your information.
But then what? what’s next #WannaSpy? #WannaDie? #WannaLie? How and when will you be ready?