The WannaCry ransomware attacks of 2017 were a global shock with 150 countries hit and hundreds of aftershocks as employees around the world logged on to infected devices to do their work in the days that followed. The attack, and other ransomware attacks before and since, highlighted just how large the endpoint blind spots are within global enterprises and government organizations…
The companies targeted and most heavily impacted by the WannaCry attack have a dark endpoint problem. Hackers knew there were hundreds of thousands of unpatched devices. They targeted them with WannaCry, and it spread like wildfire.
The current state of endpoint security means that organizations must be more proactive when it comes to securing data and responding to attacks – and that includes greater visibility into endpoint controls.
If organizations had the visibility into all their devices and knew about the presence and health of patch management and endpoint security applications, they would be able to proactively minimize risk, and develop resilient isolation strategies to protect the rest of their network from attack if the worst were to happen.
For those organizations impacted by the attacks, early detection, faster communication, and rapid containment are critical. It is also important to consider the attack vectors for WannaCry and many other worm malware strains when thinking about prevention and remediation.
Flying Blind – and How to Get Better Visibility
How do you spot and react to an infection before it spreads and starts wreaking havoc across your organization when you can’t see the problem?
The key to spotting and containing the spread of WannaCry and other malware is already embedded in most endpoints via Absolute’s Persistence technology. Our solution, which is in more than 1 billion popular PC and mobile devices at the firmware level, gives IT departments visibility and control of those devices, on and off the network. This allows security teams to maintain absolute visibility, and contain malware-infected devices faster.
Absolute customers are able to see and control rogue or dark endpoints. They can also spot “out of support” systems and retire them, remove sensitive data, and ensure patches are working to proactively minimize risk. They can also see the presence and health of patch management tools and other endpoint security agents to ensure that supported devices are safe.
While prevention is the ultimate goal, containment is an area that is ripe for significant improvement. Much like the race to contain patient zero, Absolute’s containment capabilities allow an organization to segregate infected devices from the corporate domain to prevent further spread. Our containment services interact with a company’s firewall to block web traffic to and from devices faster than manual efforts. Firewall rules are also constantly monitored and are re-created or repaired if a user tries to modify them.
Combating Ransomware: Tips for Proactive Action
Understanding vulnerable vectors and access points is critical for attack prevention and awareness. Email is the first vector (such as a phishing email with malware), so user awareness of potential phishing attempts and ensuring that employees can identify potential red flags is important. In addition, tightening up the following device configuration controls is also critical:
- Ensure that the .exestrip rule is enabled in PPS; this will stop any .zip/.js or inbound raw executables that may be in emails.
- Block password-protected compressed files, especially during the outbreak period.
- Conduct behavioral analysis on URL-based or office-document-based encapsulation if this feature is available on a mail environment.
- Ensure systems are patched against the vulnerabilities described in related malware bulletins (i.e. MS17-010 describes system gaps that allow the execution of remote commands through Samba/SMB and recommends patches) will eliminate the network worm behavior of the ransomware, sharply limiting its potential spread.
Aside from phishing, other known WannaCry attack vectors include the EXTERNALBLUE exploit and DOUBLEPULSAR backdoor. These would strike after the initial inception of the worm infection, and aid in the spread to other devices/systems. Again, patching to prevent exploitation is key to protecting multiple devices.
Light Up Dark Endpoints, Improve Cybersecurity Posture
The threat of ransomware will continue to be a growing concern, with damages that were inconceivable before Wannacry. The way to contain the damage is ultimately greater awareness, automation, a strong IT asset management program, and a more resilient defense-in-depth architecture.
Hackers knew the dark devices were dark: Why didn’t IT? Knowing where your endpoints are, understanding the presence and health of endpoint agents, and knowing whether patch management systems are in working order is vital. Absolute gives you this visibility – whether devices are on or off the corporate network.
Organizations need to respond faster to emerging threats, often when no patch is available or systems cannot be easily maintained. Absolute’s post-infection detection and containment capabilities help customers identify and contain infected devices faster and more effectively than traditional manual processes.
Absolute’s Persistence technology gives enterprises visibility of devices, data, applications, and users – whether they’re on or off the corporate network. We give IT pros the tools to spot and remediate infections (ransomware and malware) and quarantine infected devices before they spread – allowing you to identify and quarantine endpoints that have not been patched so you can remediate as soon as possible.