WannaCry Recovery 2018-06-20T12:55:29+00:00

Recovery from the WannaCry ransomware attack

Although the devastating WannaCry attack appears to have abated, organisations still need to recover from the attack and prepare for the inevitable next wave of malware that uses the same infection mechanisms. Nettitude have therefore produced the following advice on recovery and remediation.

 If you’ve been hacked, call us on: 212-335-2285.

Request a free quote

 Protect Your Business From Ransomware

Wannacry Overview
What Is Ransomware
9 steps to take if hacked

Rebuild

As the investigation into the malware is still in its early stages, it cannot be confidently stated that the malware did not drop components that may lead to re-infection of impacted systems. Therefore, you should rebuild impacted systems from known good media.

Patch

Before restoring data, apply all the security patches for your system, ensuring that you have patches for vulnerability MS17-010.  For modern Windows systems the patches are available through Windows Update service.   For some legacy systems, notably Windows XP and Windows Server 2003, Microsoft have released an out-of-band patch, which can be found here:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Note that the patches are dependent on your having various Service Packs installed, so you will need to upgrade your systems to at least the appropriate service pack.

If you cannot patch, then we recommend that the system is taken off the network entirely.

Restore

Restore encrypted data from your back-ups.   If you do not have any working back-ups or poorly managed back-ups, then you will have to assess the value of the missing data and evaluate the impact to your business.   We do not recommend that you pay the ransom as this only encourages further attacks.   However, we recognise that you will have to manage the risk around this difficult issue.

Block

Ensure that SMB is not exposed to the internet at your perimeter.   Implement a firewall rule that blocks all incoming SMB traffic at your perimeter.  You should also survey your entire estate to identify any nodes that are using SMBv1, we recommend that you disable this protocol:

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

In addition, there are indications that the malware also spread via RDP sessions.   Ensure, therefore, that RDP is not directly exposed to the internet at your perimeter.   See our RDP threat advisory for more information. Cyber Threat Intelligence Series

Plan

Ensure that you have robust policies and plans in place to deal with any future incidents. Create an IR “play book” that will dictate the actions that your organisation will undertake in a range of scenarios.  As ransomware is such a serious threat, your best hope of recovering data is to ensure that you have robust back-ups which are off-line so that they can’t also be encrypted.   Have a documented backup strategy and ensure that you test your back-ups regularly.

Clearly you need to prepare for more ransomware, but don’t fall into the trap of continually fighting the last war in respect of security breaches.  You should develop a cyber-security programme that takes a holistic view of people, processes and technology within your organisation.   If you haven’t got a cyber-security strategy for your organisation, then now is the time to start one.

Nettitude can provide skills across a broad range of security domains, contact us today for more information.

 Contact Nettitude’s 24×7 Incident Response helpline to get hands-on support in recovering from WannaCry and prevent future variants of Ransomware from hitting your environment.

 Call us on 212-335-2285.