The Wanna Cry ransomware worm ravaged computers across 150 countries. The attacks began May 12, 2017, infecting PCs of organizations that had not applied security updates to some versions of Microsoft Windows. This menace paired ransomware that encrypted computers and demanded payment with a worm that enabled it to spread quickly. The ransomware encrypts all the user’s data, then a pop-up message appears demanding a $300 Bitcoin payment in return for the decryption key.
In the UK, the National Health System attack resulted in hospital workers being unable to review patient health histories, causing postponed surgeries and increasing risks to all new patients. Medical staff reported seeing computers go down “one by one” as the attack took hold, locking machines and demanding money to release the data.
Organizations had only days to patch their Windows end-user and server systems. Given this malware’s effective repropagation mechanisms, virtually any organization that hasn’t applied Microsoft’s recommended mitigation mechanisms is still at potential risk of an attempted Wanna Cry assault.
Once on a system, the malware discovers on what subnet it is located, so it can infect its neighbors. Anti-virus software is the next defense when a worm has breached a machine. Ensuring total coverage of IT infrastructure is critical. Any chinks in the armor must be detected and remediated. Anti-virus products detect strings of code known as virus signatures before killing the offending program. When these products fail, network administrators are forced to redirect suspicious traffic to IP sinkholes, and then direct them from harm’s way.
Just like anti-virus software, patch management solutions usually require a management agent to be installed on the target system. For example, Microsoft System Center Configuration Manager (SCCM), as a leading endpoint-management solution for enterprise Windows client machines, uses agents. To be effective, the agent must be running on every managed system. Not surprisingly, 100% coverage is very rare.
Despite encouraging reports of waning threat activity, Wanna Cry continues to pose significant risks. Blazent provides a SaaS solution that enables its customers to take advantage of five or more data sources to build an accurate inventory of their IT assets, such as end-user systems and servers. This verified inventory is used to identify gaps that are missing patch management and anti-virus agents. If organizations place their faith in a single data source, such as IT discovery tools, then they are unlikely to have a complete picture. Read the Blazent white paper on The False Promise of Discovery Tools here to learn the importance of verifying such a data source.