On May 12, 2017, the powerful WannaCry ransomware infected more than 300,000 computers in over 150 countries in less than 24 hours. Six weeks after the WannaCry attack, a variant of the ransomware called Petya arrived on the scene and began to spread rapidly.
WannaCry uses command-line instructions to quietly delete any shadow volumes, delete backup catalogs, and disable automatic repair at boot time. With the backups gone, it writes itself into tasksche.exe or mssecsv.exe in a randomly generated folder and gives itself full access to all files. Petya overcomes some of the safeguards put in to battle WannaCry such as stealing administrator credentials with a password dump tool to run wmic.exe to execute the malware directly on a remote machine.
The McAfee Labs Threats Report: September 2017 outlines several best practices to defend your organization against these two insidious malware threats.
Be vigilant in your software and file management
WannaCry and Petya exposed the continued use of old and unsupported operating systems and lax patch-update processes followed by some organizations. Set up a rigorous program to maintain and update your software applications, particularly those involved with your operating systems. It’s also a good idea to regularly backup data files and verify network restore procedures.
Impose key restrictions
Since ransomware is usually designed to run under well-known operating system folders, restrict code execution to prevent it from reaching them and blocking it from encrypting data. You should also restrict administrative and system access which can create an extra layer of protection by preventing malware from using default accounts to perform their operations. Consider removing local administrative rights to prevent ransomware from running on a local system. This will also block access to any critical system resources and files that ransomware targets for encryption.
Implement strict email policies
Securing email communication is key to preventing malware from infecting your system. Filter email content to limit spam emails and reduce the potential for attacks. Block attachments to reduce the attack surface. Implement a policy that restricts certain file extensions from being sent by email. Analyze those attachments with a sandboxing solution and remove them with an email security appliance.
Always be monitoring
Continually monitor and inspect network traffic to help identify abnormal traffic associated with malware behaviors. Use threat intelligence data feeds to help detect threats faster.
Conduct ongoing training
Ransomware often infects a system through phishing attacks using email attachments, downloads, and cross-scripting web browsing. Educate your network users on the dangers of malware threats and things to look for to guard against allowing an attack.
DG Technology is a certified McAfee partner and can help you leverage the full line of McAfee security solutions. Contact DG Technology to learn how we can help you implement an integrated approach to defense against malware and ransomware.