You may be aware of the outbreak of Ransomware which is a Cryptolocker variant over the weekend. This particular attack has a weaponised payload which has the potential to affect a far wider scope than the initial infected host.

The malware also attempts to access the IPC$ shares and SMB resources the victim’s system has access to. This access permits the malware to spread itself laterally on a compromised network.

Our recommendations are as follows:

  • Immediately apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017
  • Review your backup strategy and ensure it covers critical assets
  • Consider disabling SMBv1 in your environment
  • Where you have legacy operating systems (ie Windows XP) – Microsoft released an emergency patch over the weekend, apply this immediately
  • Review the tools available to prevent e-mail spoofing
  • Filter all e-mails to detect threats and filter executable files from reaching the end users
  • Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans
  • Remove everyday users access to privileged accounts
  • Use a least privilege model for access controls to file, directory, and network share permissions
  • Review your security awareness programs to educate users
  • Ensure that you have an overall patch management strategy in place for both OS and application patch management