Light Dark
May 17, 2017 By Sumukh Tendulkar 3 min read
Endpoint
Software Vulnerabilities
Intelligence & Analytics
Incident Response
Malware

Dry your eyes: Lessons learned from WannaCry

If you’re reading this post, congratulations! You hopefully aren’t using one of the more than 200,000 computers that were hit by the first wave of the WannaCry ransomware attack. Those unfortunate victims are dealing with bigger problems right now, such as how to admit patients to their emergency rooms or ship perishable items to their destinations without the help of working computers.

As this attack demonstrated, the cost of ransomware goes far beyond the fee that’s demanded to get back your files; it brings down businesses and even threatens lives. Most experts, including the FBI, recommend against paying ransoms, which have no guarantee of success and can even target you for further attacks. A better strategy is to prevent attacks in the first place. Here are some lessons we’ve learned from this and other attacks.

Patching WannaCry ransomware

WannaCry didn’t come out of nowhere: It exploited a known Microsoft vulnerability for which the company issued a patch two months earlier. Subscribers to the IBM X-Force Exchange received that fix on the same day it was released.

It’s particularly important to patch endpoints, such PCs and mobile devices, because that’s where 85 percent of ransomware infections originate. The process can be complex, but IT teams can use endpoint tools to deploy patches consistently, reliably and automatically across a broad range of operating systems.

Related: Ransomware Response Guide

A majority of existing endpoint detection and response (EDR) solutions are unable to fully secure organizations from ransomware for three reasons. First, they lack full visibility of endpoints and their statuses, which limits the effectiveness and contextualization of malicious behavior. They also often require complex, post-detection incident investigations, which is a challenge in a cybersecurity field that is expected to see 1.5 million vacant positions by 2020. Some of these tools also lack any remediation abilities whatsoever, which reduces an organization’s ability to effectively act upon investigation.

Make sure your EDR solution has the appropriate visibility to not only detect, but also contextualize malicious behavior. Tool sets such as IBM BigFix can help solve those two problems and also provide effective remediation based on investigative findings.

Training your people

By various estimates, up to 83 percent of ransomware attacks originate when an employee clicks on a malicious link, opens an infected attachment or visits a compromised website. Employees are the first line of defense, so investing in ongoing training about protecting against phishing and malware should be a priority.

Watch the on-demand webinar series: Orchestrate Your Security Defenses to Avoid Ransomware Attacks

Blocking ransomware with threat intelligence

Deploying patches can be a complex and error-prone process, particularly when old or critical applications are involved. Your intrusion prevention system (IPS), when kept up to date with the most current threat intelligence data, can help prevent ransomware by using signatures to detect and stop it.

IBM X-Force Exchange, for example, provides signatures to detect command-and-control (C&C) communication between ransomware and other servers using the specific EternalBlue SMB vulnerability. For updates, follow the X-Force Exchange WannaCry collection.

Organizations that can’t patch can prevent the spread of the ransomware by disabling the outdated and vulnerable Server Message Block v1 in Windows. Additional recommendations are available and continuously updated on the WannaCry IBM Support page.

Detection driven by behavioral analysis

While a good prevention program should stop most ransomware attacks at the door, it can’t protect you 100 percent of the time. A good security analytics platform provides the next level of defense by detecting ransomware activity based on behavior. For example, a simple rule can identify when ransomware is encrypting files at a high rate. When combined with an endpoint management product, this one-two punch can help kill the malicious process before it does significant damage.

A cognitive system can also identify malicious activities based on behavior by continually scanning online sources of intelligence, such as threat advisories and blogs. For example, IBM Watson was able to identify one WannaCry ransomware attack based on network traffic going to a suspicious IP address. It learned of the address from a threat researcher’s blog.

Responding with dynamic playbooks

Sometime breaches occur despite your best efforts. In those cases, an incidence response (IR) platform and team is your last line of defense. An IR platform can help orchestrate the response to ransomware attacks by helping to align people, processes and technologies in a predictable and efficient manner.

Any good IR platform supports the Dynamic Playbook for ransomware. IBM Resilient’s Dynamic Playbook adapts in real time as information about an attack is uncovered, generating a response based on the most current information.

Most successful organizations also turn to IR services providers during times of crisis. When choosing IR vendors, select one with a breadth of experience in not just ransomware, but also other areas of cybercrime. This vendor should have prior success in assisting customers to align their response and restore normal operations.

A good IR provider can help you hit the reset button by bringing your backed-up data and systems back online. IBM’s IR works with customers to ensure that restored systems are not vulnerable to similar attacks and can also improve defenses against future incidents.

Join the webinar series: Orchestrate Your Security Defenses to Avoid Ransomware Attacks

 |  |  |  |  | 
Sumukh Tendulkar
Director, Product Marketing

More from Endpoint
November 28, 2023

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

October 30, 2023

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

October 19, 2023

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature