Preventing the WannaCry attack is simple. Update Windows. Stopping the next ransomware attack may take more prevention steps. WannaCry leverages exploits that were made public when hackers revealed on April 14 a list of exploits that were allegedly developed by the NSA. One of the exploits in question leverages known vulnerabilities in the SMB protocol for Windows, but Microsoft fixed this exploit with a patch the day before it became public.
This means that anyone that updated their security patches at least once a month would not have been vulnerable to these attacks when they started happening a month later.
If you have not yet been hit by WannaCry, stop reading this blog and run Windows Update right now on your entire environment – starting with your most critical systems. Uptime be damned; this is war. As of this writing, 300,000 computers in over 150 countries have been infected, and there is little sign that it is stopping anytime soon.
If you’ve run Windows Update on your entire environment, take a deep breath knowing that you’re at least safe from WannaCry. But what about other exploits? Make sure you are staying up to date on security notifications and updating your systems as appropriate. If most of the world had done this when the exploits were published on Apr 14, the WannaCry attack of May 14 would have been a non-story. For more details on on how to protect yourself from ransomware in general, read this article post I wrote a while back.
How Do You Stop All Ransomware Attacks?
Some believe that many exploits could be stopped simply by running something other than Windows for critical systems, and there is a little bit of truth to that. If you take a look at the CVEsystems website that has been tracking such things, Linux and MacOS both have less than 10 exploits since 1996. Windows, on the other hand, has had over 300 exploits during the same time period. For what it’s worth, both Linux and MacOS have a large number of vulnerabilities list on CVESystems, but a much higher percentage of Microsoft’s vulnerabilities were actually exploited. But even if migrating everything to Linux reduced your risk, it does not remove your risk altogether.
So what’s the one thing that you can to do protect yourself from all ransomware attacks? Have a good backup system that follows the 3-2-1 rule: 3 copies of your backups on 2 different media, with one of them offsite. Putting that in a different way, make sure there is an “air gap” between one of your backups and the attackers. That way if they were to attack your backup server, they would not be able to corrupt all your backups while they are corrupting your primary data.
Making sure you have an actual air gap is doubly important if you have a Windows-based backup server. If anyone in your company gets the WannaCry virus, it’s going to search out your network for other systems to infect. If one of those systems is your Windows-based backup server, an air gap is your only way to recover. (Remember you can stop WannaCry by simply updating Windows.)
This may not sound fancy, but having a solid backup strategy that takes ransomware into account is the absolute best “last line of defense” against these attacks. Tape is coming back into vogue. Short of physically pulling hard drives and shipping them around (which they’re not really made to do), tape is the only way to have an air gap in your backup system. Even a cloud connected copy isn’t an air gap, because it could be attacked/deleted from your backup server. But the only way a hacker can destroy your offsite tape backups is to stick up your offsite vaulting vendor.