The Massive RansomWare Attack and How to Defend

Bookmark and Share
Back to Accume Alerts
May 17, 2017

Last week, the world experienced a massive cyberattack that impacted organizations in at least 100 countries.  The ransomware attack had a devastating impact on numerous organizations in which it was able to execute, spread, and encrypt files.  Operations at Britain's National Health Service, factories, telecommunication providers, universities, and numerous businesses were disrupted by the spreading ransomware.

Anatomy of the attack:

Based on reports thus far, the attack is believed to start when someone falls victim to a phishing email or malicious website.  Once the ransomware, known as WannaCry or WannaCrypt, begins running on the victim's system, it starts encrypting the victims files and it looks for systems on the network that have an unpatched Windows SMB vulnerability.  If unpatched, the Windows SMB vulnerability allows the ransomware to infect additional machines on the network.  Microsoft released a patch for the SMB vulnerability in March.  The ability to spread via the SMB vulnerability, which is reportedly tied to a  stolen hack written by the N.S.A., makes this attack particularly devastating because it spreads through the network so easily and quickly.  Once a computer is encrypted, the ransomware demands a bitcoin payment of at least $300 for the decryption keys.  It is unclear whether ransom payments actually result in the cybercriminals providing working decryption keys.

As of Saturday afternoon, most estimates put the total bitcoin payment value at around $35,000, which is remarkably low given the amount of havoc this attack has caused.

How to keep safe:

1) Keep systems patched and up-to-date

2) Do not use unsupported Operating Systems, which can not be kept patched and up-to-date (No Windows XP and No Windows Server 2003)

3) Educate and test employees to ensure that they will not fall for phishing emails or other forms of social engineering

4) Backup systems and ensure that Disaster Recovery Plans are robust

In addition, make sure that multiple layers of security are in place to prevent malware from getting into the network and spreading within the network.

How Accume Partners Can Help:

Accume Partners offers many services that can help organizations prepare for cyberattacks.  Particularly cost effective and short-duration engagements include:

  • Email Phishing Assessments - By exposing employees to regular test phishing emails of various types, employees will learn what to look for and to be on their guard.  Recurring assessments contain an educational/training component that may help prevent employees from falling victim to phishing attacks - one of the best ways to keep malware out of the network.
  • Patch Audits - Periodic internal network assessments to make sure that patching policies and procedures are working.  These ensure that the IT environment is at the appropriate patch level and that vulnerabilities are not being left unaddressed.
  • Penetration Testing - Actively evaluating Internet facing systems by using tests that mimic real-world attacks.
  • Disaster Recovery Assessments - Performing a technical and non-technical review of backups and the disaster recovery procedures helps ensure that an organization can bring critical services back online quickly following a disruption
  • Incident Response Solutions - From the development of an incident response playbook (detailed procedures for responding to attacks like this one) to threat intelligence briefings to actual incident response and forensics, Accume offers a complete array of security incident-related solutions
  • Cybersecurity Enhanced Testing Audit - Accume has a unique audit program aimed at testing controls that are typically not the purview of IT general controls audits or IT regulatory examinations.

Download the printable version here

For more information please contact: