Anatomy of the Attack
Based on reports thus far, the attack is believed to start when someone falls victim to a phishing email or malicious website. Once the ransomware, known as WannaCry or WannaCrypt, begins running on the victim’s system, it starts encrypting the victims files and it looks for systems on the network that have an unpatched Windows SMB vulnerability. If unpatched, the Windows SMB vulnerability
allows the ransomware to infect additional machines on the network. Microsoft released a patch for the SMB vulnerability in March. The ability to spread via the SMB vulnerability, which is reportedly tied to a stolen hack written by the N.S.A., makes this attack particularly devastating because it spreads through the network so easily and quickly. Once a computer is encrypted, the ransomware demands a bitcoin payment of at least $300 for the decryption keys. It is unclear whether ransom payments actually result in the cybercriminals providing working decryption keys.
As of Saturday afternoon, most estimates put the total bitcoin payment value at around $35,000, which is remarkably low given the amount of havoc this attack has caused.
How to keep safe:
- Keep systems patched and up-to-date
- Do not use unsupported Operating Systems, which can not be kept patched and up-to-date (No Windows XP and No Windows Server 2003)
- Educate and test employees to ensure that they will not fall for phishing emails or other forms of social engineering
- Backup systems and ensure that Disaster Recovery Plans are robust
How Accume Partners Can Help:
Accume Partners offers many services that can help organizations
prepare for cyberattacks. Particularly cost effective and short duration engagements include:
- Email Phishing Assessments – By exposing employees to regular test phishing emails of various types, employees will learn what to look for and to be on their guard. Recurring assessments contain an educational/training component that may help prevent employees from falling victim to phishing attacks – one of the best ways to keep malware out of the network.
- Patch Audits – Periodic internal network assessments to make sure that patching policies and procedures are working. These ensure that the IT environment is at the appropriate
patch level and that vulnerabilities are not being left unaddressed.
- Penetration Testing – Actively evaluating Internet facing systems by using tests that mimic real-world attacks.
- Disaster Recovery Assessments – Performing a technical and non-technical review of backups and the disaster recovery procedures helps ensure that an organization can bring critical services back online quickly following a disruption
- Incident Response Solutions – From the development of an incident response playbook (detailed procedures for responding to attacks like this one) to threat intelligence briefings to actual incident response and forensics, Accume offers a complete array of security incident-related solutions
- Cybersecurity Enhanced Testing Audit – Accume has a unique audit program aimed at testing controls that are typically not the purview of IT general controls audits or IT regulatory examinations