Since our last article on ransomware a couple of years ago, it has become front page news but also evolved, particularly in the ways it manages to spread within and across organisations.
The most recent headlines have been about the Petya/NotPetya outbreak. This is starting to look like it might have been a targeted attack but the methods it uses are still worth mitigating to prevent an outbreak happening in your organisation because they’re the same methods as other recent outbreaks.
Here’s a list of mitigations in the order you’re most likely to be able to do them. No single one will prevent an outbreak but any combination will make you less vulnerable and will limit the spread if a computer in your organisation is compromised.
You should be doing this anyway so this is the easiest mitigation. A lot of the vulnerabilities that ransomware uses have already been patched so making sure you’re up to date has a massive beneficial impact. This applies to desktops and servers, so make sure you have a routine for rebooting the servers to apply patches if it’s not done automatically. And don’t forget those XP and 2003 machines still lurking around – Microsoft has released some recent security patches despite them being out of support. Better still, plan to replace them with something newer.
Disable SMB v1
SMB v1 is the old Microsoft file sharing protocol which has been mostly superseded but is still enabled on most desktops and servers. Vulnerabilities in SMB seem to have been used in the WannaCry outbreak and can also be used as a fallback method by Petya/NotPetya.
SMB v1 can be disabled using Group Policy, Powershell commands or directly in the registry. You’re going to want to test this on a few representative (but not vital) machines to make sure it doesn’t affect any old software or hardware access. Access to shares on old NAS drives, for example, may only work with the SMB v1 Lanman client enabled. It should however be possible to disable SMB v1 Lanman server on most devices.
If you can use Group Policy, Microsoft has a good Technet blog post on how to do that. If you have to do it using one of the manual methods, this Microsoft Knowledge Base article tells you how to accomplish that on the main operating systems. If you do have to do it manually, start with servers and key workstations (payroll, production control).
Keep antivirus and anti-malware up to date
A lot of ransomware gets under the scanning radar but it’s still worth making sure the systems you have are updating properly. If your AV console shows servers or workstations with errors, investigate and try to fix them. Security is an incremental process.
Limit admin access
The NotPetya ransomware seems to have used the harvesting of admin credentials as the main way of spreading once it was inside an organisation. Any time you allow a user to have local administrator privileges on their workstation, there is a possibility of the credentials being stored in a way that a malicious process can access. Any time you allow IT administrators to make domain administrator connections from their workstations, there is a possibility of the credentials being stored in a way that a malicious process can access.
This is a complicated topic and hence not an easy mitigation but you need to reorganise your working methods to limit admin access and hence the caching of administrator credentials. You can start by documenting who has local or domain admin access, why they need it, and how it is used. Then remove the privileges that aren’t needed.
Some of the mitigations are easy and some are inconvenient, but none are as bad as cleaning up after a ransomware attack. And it should go without saying that your users should be storing data in a place that is backed up, and that restoring from backup is regularly tested.