There’s no shortage of #wannacry #ransomware coverage across the board including mainstream media. The always-sound advice of keeping yourself patched with up-to-date vendor software continues to stand. However, that will never be enough.
Security must be approached in layers. To illustrate this need, let’s take a quick inventory of one sector of the vulnerable computers: end-of-life and past support Windows XP:
|Estimated number of computers still running Windows XP||Over 100,000,000 (100 Million) (source Wikipedia)|
|Estimated number of #wannacry infections||230,000 (source Wikipedia) at time of writing|
Even if all of the 230,000 known infections so far were Windows XP, that represents only 0.23% of vulnerable computers. Not to mention Server 2003 in existence and other unpatched Windows versions running SMBv1.
The root of #wannacry is in MS17-010, which was patched two months ago. Many organizations had insufficient budget resources, IT resources and even insufficient time to patch without impacting normal business.
This paints a bleak picture of the coming days, weeks and months. For those who have been in the industry for two decades will remember Nimda. It is still alive 20 years later. I know Michael Proper remembers those days all too well!
The one layer of security that consistently mitigates modern threats, even during zero-day periods, is egress control. The traditional methodology for SME and even corporations is an “Allow all, block some” approach. Egress control is about applying the opposite: “Block all, allow some”. From an endpoint device, this means that all outbound access is denied unless whitelisted. This isn’t nearly as daunting as it has been in the past because a “starter” whitelist can easily be determined with a passive logging approach for a period of time. Or, a dynamic “unblock request” as you go.
The reason that Gateway.Management DTTS-enabled environments have experienced #wanancry mitigations is due to the way whitelisting resolves all non-whitelisted domains to the block page for end-user interaction. From #wannacry’s perspective, any past, current, or future killswitch domain is already responsive. It is entirely possible, of course, for malware authors to use an alternate methodology of killswitch creation, but at the time of writing, there is now the third iteration of #wannacry and every working worm still uses this same killswitch methodology.
IMAGE: World map shows where computers were infected by WannaCrypt ransomware since Sunday, as recorded by MalwareTech.com.