You may be aware of the outbreak of Ransomware which is a Cryptolocker variant over the weekend. This particular attack has a weaponised payload which has the potential to affect a far wider scope than the initial infected host.
The malware also attempts to access the IPC$ shares and SMB resources the victim’s system has access to. This access permits the malware to spread itself laterally on a compromised network.
Our recommendations are as follows:
- Immediately apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017
- Review your backup strategy and ensure it covers critical assets
- Consider disabling SMBv1 in your environment
- Where you have legacy operating systems (ie Windows XP) – Microsoft released an emergency patch over the weekend, apply this immediately
- Review the tools available to prevent e-mail spoofing
- Filter all e-mails to detect threats and filter executable files from reaching the end users
- Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans
- Remove everyday users access to privileged accounts
- Use a least privilege model for access controls to file, directory, and network share permissions
- Review your security awareness programs to educate users
- Ensure that you have an overall patch management strategy in place for both OS and application patch management