As most of you are aware there's a new Ransomware attack happening around the globe called WannaCry. As of yesterday it has infected over 237,000 computers across 99 countries.

We've been receiving a lot of questions about how our clients are protected and the good news is that our clients have multiple layers of protection in place. However, there is no silver bullet and there's always more that you can do. Unfortunately, there's no way to 100% block ransomware and in the past we've had clients hit. However, we've had a 100% success rate of stopping it and fixing it. At a high-level, as a client of Nucleus you have multiple layers of defense protecting you from malicious attacks:

 

  • Antispam Filtering
  • Business-class Firewalls
  • Two security products installed on all desktops/laptops
  • A security suite installed on all servers
  • Custom monitoring for ransomware activity
  • Hourly, encrypted backups onsite and offsite
  • Removal of admin rights on all computers

 

Here's what else you need to know:

Layered Security

We’ve taken a leadership position when it comes to layering security for our clients and we're always looking to improve upon that stack to keep the integrity of your data and systems intact. Having layered security gives us a higher success rate than relying on a single security platform.

We layer antivirus products upon a predictive cloud security platform; if those were to fail, we have active file monitoring in place that if an encryption is detected it automatically shuts down the file shares and protects the system integrity. Our backups are kept locally and offsite in two locations in Canada which means restoring these files would not be a problem.

Our antivirus product keeps copies of file changes if they are made by an application that the antivirus is unaware of.  If the application is deemed at some point to be a virus or ransomware, the antivirus will role back the files to the intact state prior to the changes.

(https://www.webroot.com/blog/2017/05/13/wannacry-ransomware-webroot/)

The predictive cloud security platform uses several methods for stopping communication to and from the locations that the ransomware starts from. This includes blocking websites and servers with traffic patterns matching ransomware, as well as not allowing domain names that are brand new and routing high amounts of traffic. These two analytics, among the numerous other methodologies employed by this platform, will block ransomware before any antivirus vendor or news outlet even knows about ransomware.

(https://support.umbrella.com/hc/en-us/articles/115007309968-Wannacry-WanaCrypt0r-and-how-Umbrella-is-handling-it)

 

How to protect your digital assets

Most ransomware that infects corporate systems come through people’s personal email systems (yahoo, gmail, Hotmail, etc). Obviously this bypasses any corporate security systems that are in place to protect email from bad attachments coming through. For this particular security vulnerability the MS17-010 needs to be applied to all vulnerable systems.  This current threat is so serious that Microsoft has even released a security fix for Windows XP which has been out of support for years.

If you're opening up an email and you're unsure of the attachment, don’t open it! This could be the start of the infection vector that is encrypting systems and holding servers and data for ransom across the world.

The current malware infection does not require user interaction once it is inside a network to propagate itself once one system had been infected. Upon activation your only line of defense will be a complete reformat of infected systems and a rebuild from your backups.

Aside of keeping your systems up to date following best practice will help protect your organization:

  • Never open an non-requested attachment
  • Never click on a banner
  • Do not visit Adult, online gaming and gambling sites with corporate systems
  • Never install “free software” unless approved by corporate security
  • Make sure that your have backups that are taken regularly on a system that is not visible from corporate workstations to allow for a rollback in case of infection.
  • If your backups are “visible” from your workstations on a share or other means then you risk that your backup will also be encrypted/locked by a ransomware in which case your only options will be to either pay the ransom or rebuild your data manually from scratch.
  • Ensure that you put in place a rapid phase out plan for Window XP and Windows 2003 in your environment.
  • Plan for a phase out of Windows 7 which is currently on extended support and will be out of support in January 2020.
  • Always deploy operating systems updates and security patches in a timely and regular manner.

Keeping Systems up to date

The security hole that this ransomware is exploiting was patched by Microsoft two months ago. Interestingly enough, the vulnerability was discovered by the NSA and was leaked. Once knowledge of this hole was leaked, Microsoft patched it right away, and ransomware creators began working on ways to exploit it. We run monthly patches to ensure we stay up to date on security updates. We know it’s annoying when your computer incessantly asks you to reboot your computer, but this is why! Patching security holes is critical to protect your computers and your data! (http://fortune.com/2017/04/15/microsoft-shadow-brokers-patch/)

If you see a prompt to reboot to complete patching, take the time to reboot!

We also work hard to ensure we are keeping your systems up to date. Older versions of windows are no longer patched by Microsoft. When those systems come out of support, security holes such as this stay open and leave you and your organization at risk.

 

"What more can we do to enhance our security"

Our dedicated team of Consultants can assist with enhanced digital-security initiatives, our recommended list is below:

  • User education, training, and mock phising email testing etc.
  • Blocking access to personal email accounts from corporate assets (gmail, yahoo, hotmail, etc.)
  • Removing of admin rights from users who have admin access on their machine
  • Implementing single-sign-on and enhanced mobile device management
  • Performing a security audit/benchmark on the current state of your digital security and defining a security roadmap

 

If you have any additional questions or concerns, please reach out to discuss!