Companies across the globe are reporting that they have been struck by a major ransomware cyber-attack today, similar to the cyber-attack we blogged about last month. Ukrainian firms, including the state power company and Kiev's main airport, were among the first to report issues. With Interpol "closely monitoring" the situation and liaising with its member countries, experts suggest that the malware is taking advantage of the same weaknesses used by the Wannacry attack last month.
Over the last few days, a new cyber-attack - WannaCry - has been making the headlines. This ransomware attack was huge and infected over 100,000 computers around the world in the first day. Some of us may have thought that these kind of attacks with a very large impact footprint were history given their resemblance to the first viruses in the early 2000s. Unfortunately, they thrive on a user's inability to keep their system up-to-date.
Considering that we have been working to secure our infrastructure against viruses for more than 15 years, it is still surprising how impactful a single virus attack can be. Disk encryption attacks like Wannacry Ransomware are particularly interesting as they are demonstrating a new level of sophistication. Clearly, the perpetrators have significant means and know-how. They are building on years of blackout interactions with security companies, a number of hacking kits available, as well as leaks from national security agencies (sadly).
Early reports point to the fact that the attacks were stopped by a security researcher. This gentlemen registered an unregistered URL that was used to verify if the software was in a sandbox. The goal of the researcher was to track the spread of the virus - in doing so, he confused it and enabled the equivalent of a kill switch. The game is not over though, a new version of the virus has just been released without the kill switch.
What can organizations do in the meantime to get ready? Netmail has a few solutions that can help you counter the impact this new virus may have.
How Does Ransomware Get on your Computer?
This attack had multiple modes of spreading. The most effective way was the use of windows SMB vulnerabilities once the virus was in the organization. But to get inside your local network, it had to first come in via a phishing attack. Yes, humans are still one of the weak links in the chain. Using an effective email filter like Netmail Secure can significantly reduce the risk of such an attack getting through.
Higher-end solutions like Netmail Secure will include sender IP address filtering - blocking out spam senders, zero day attack protection detecting email attacks early on, URL filtering in email to avoid any malicious links passing through the network as well as very intelligent mail filtering systems to detect these types of attacks. Netmail has also been working hard the last few years to prevent phishing attacks and we continue to do so.
How to Fix Ransomware Virus?
If your filter fails to cover an attack, you still have other levels of protection you can leverage. Netmail's RPZ service is a DNS filtering service that would block the user from downloading the actual payload from the link. The RPZ service also redirects any connection to a command and control center or to any URL that is known to be malicious. In many cases, this can save your organization from the attack.
Many users also connect to their personal gmail accounts, or other email accounts, from the company computer. So you can have the best filtering service available, but when this happens you are relying on the end-user service provider to filter out the attack. Using a DNS filtering service covers this risk, by filtering out the link that is clicked before the payload is downloaded.
Finally, if there was a computer that is compromised through a phishing attack, in your rapid forensic investigation, you could identify what link in which email the user clicked. This is where Netmail's Retract can help you - call it Zero Day Remediation. Netmail Retract allows you to search all the mailboxes in your Exchange systems and remove emails with a specific criteria. In this case, you could remove any emails with the attack link - preventing other computers from being infected.
Clearly, we all need to continue our efforts to improve our update processes for computers. We also need to train our users more on avoiding clicking links that are at risk. But there are some technologies provided in the market that can limit the impact of such attacks. Netmail is there to help, as we continue to develop technologies to reduce risk and secure your environment.