ESET Ireland’s top 8 tips for preventing ‘WannaCry’ ransomware attack

wana-cry-encrypted2a.jpg
On Friday, 12th of May, the world was rocked by the biggest ransomware attack in history. It started with Spain’s telecom sector, then news started coming in about British Health Service being targeted and attacks on FedEx, several Russian banks and ministries as well as many other targets in about a hundred countries across the world.

The culprit? A piece of ransomware that ESET calls WannaCryptor, but also going by WannaCry and Wcrypt, has been spreading rapidly, using leaked NSA files, namely the eternalblue SMB exploit. Unlike most encrypting-type malware, this one has wormlike capabilities, allowing it to spread by itself. As a result, it has spread very quickly indeed.

Since Friday May 12th 14.383 ESET clients reported as many as 66.566 attack attempts (9922 clients reported 60187 – stopped by ESET’s file/memory detection and 4461 clients reported 6379 – stopped by ESET’s Attack Network Protection module).

Top countries affected by the cyberattack, based on file/memory detections (excl. network protection module):

Russia                                                                                   30189                   (45.07%)
Ukraine                                                                                7955                      (11.88%)
Taiwan                                                                                  7736                       (11.55%)
Philippines                                                                          1973                       (2.95%)
Egypt                                                                                     1592                       (2.38%)
Iran                                                                                        1445                       (2.16%)
India                                                                                      1135                       (1.69%)
Thailand                                                                               1036                       (1.55%)
Italy                                                                                       795                         (1.19%)
Turkey                                                                                  711                         (1.06%)
China                                                                                     706                         (1.05%)

ESET has created the detection for this vulnerability on April 6, 2017, and its network protection module was already blocking attempts to exploit the leaked vulnerability at the network level before this particular malware variant was even created. ESET increased the protection level by adding detection for this specific threat as Win32/Filecoder.WannaCryptor.D on Friday, May 12th.

ESET Ireland recommends following these guidelines:

  1. You can protect against this exploit by running Windows Update. For more detailed information about the Windows vulnerability and how to resolve it, see Microsoft Security Bulletin MS17-010 – Critical.
  2. Make sure that ESET Live Grid is enabled in your ESET product.
  3. Make sure that your ESET software is upgraded to the latest version and has the latest Virus Signature Database updates.
  4. Do not open attachments sent to you in emails from unknown senders.
  5. Warn colleagues who frequently receive emails from external sources – for instance financial departments or Human Resources.
  6. Regularly back up your data. In the event of infection, this will help you recover all data. Do not leave external storage used for backups connected to your computer to eliminate the risk of infecting your backups. If your system requires Windows Updates to receive the patch for this exploit, create new backups after applying the patch.
  7. Disable or restrict Remote Desktop Protocol (RDP) access (see Remote Desktop Protocol best practices against attacks).
  8. Disable macros in Microsoft Office.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s