Last week the world witnessed the impact of a malicious cyberattack which affected several organizations and institutions across the globe. Hospitals, airports, courier delivery service, telecommunications, government agencies, and others all fell victims to what is being described as one of the worst and most extensively spread ransomware attacks in history as reported by CNN Tech called WannaCry. The WannaCry ransomware is a severe threat that is exposing several global organizations to the potential risks of losing access to business intellectual property and customer related information. To make matters worse, the impact of WannaCry is putting lives at risk. As reported by CNN Tech, sixteen National Health Service (NHS) organizations in the UK were impacted and as a result, some hospitals were forced to cancel outpatient appointments and informed patients to avoid emergency departments for the time being if possible.
At this point, it is safe to say that the impact of WannaCry exceeds the financial burden of impacted organizations but it also exposes human lives at risk when hospitals and health institutions are forced to refrain from seeing patients because they don’t have access to their personal health records.
It would be remiss of me not to mention the fact that it takes more than just technology and tools for organizations to proactively protect their infrastructures and data from cyberattacks such as WannaCry. This has very much to do with the aptitude and maturity of the management team responsible for the IT infrastructures. The lack of operational maturity and reliance on antiquated policies around system patching is also one of the biggest reasons as to why WannaCry has been so impactful. All of the tools and technology in the world can’t really fix human ignorance.
There are many technology solutions available that can help organizations protect their infrastructures against these types of cyberattacks. Before I provide a couple of recommendations to keep the ransomware from spreading and how to quickly get access to infected systems and the data being held at ransom, let me provide some information on what the WannaCry cyberattack is doing, what it does, how does it do, and what has already been done to mitigate the risk of infection.
WannaCry is a global ransomware attack that is spreading throughout the world by exploiting a Windows operating system vulnerability which was described in. The vulnerability allows remote code execution of malicious develop code that sends messages to a Microsoft Server Message Block (SMB) Server over a network of connected Windows systems. According to Microsoft, a security patch to fix the Windows operating system vulnerability that is being exploited by the WannaCry ransomware was released in March. They have also recommended and instructed for everyone to path their windows operating systems and enable Automatic Windows Update to be safe and overcome the risks of being impacted by the WannaCry ransomware cyberattack.
WannaCry spreads over networks, and it locks down all the files of an infected system by encrypting them and preventing access to any data. The demanded ransom to gain access to files is a payment of $300 per infected system in Bitcoin currency. After the ransom is paid, a private key is then provided which would then be used to decrypt the files and regain access. In the event, the payment is not paid in a defined period the files on the infected systems will remain encrypted and will be permanently lost.
Now that I’ve provided information about the cyberattack and the vulnerability that is being exploited, the operating systems that are being targeted, and its overall purpose I can provide some technological recommendations to be considered for proactive preparation against cyberattacks like WannaCry.
WannaCry Attack Points and Infrastructure Responsibilities Impacted:
- WannaCry is targeting Windows operating systems exploiting a vulnerability found in the Microsoft Server Message Block 1.0 (SMBv1) Server – Patching, Network, Security
- WannaCry is designed to gain control of information and data by encrypting any file that it finds in an infected system – Data Protection, Immutability
- WannaCry data access or data loss demands are based on time – Low RTO and RPO
With most the world’s enterprise data centers being highly virtualized they are all likely to be hosting an exponential number of virtual machines running Windows operating systems. While I have no data to validate this next statement, I’m going to assume that the WannaCry ransomware cyberattack has impacted or could impact a significantly large number windows virtual machines that are being hosted on virtualized infrastructures. The virtualization platforms may vary ranging from VMware vSphere, Microsoft Hyper-V, KVM, etc. There are several solutions available to each one of those platforms to combat against cyberattacks but I’m going to focus on the platform I know best which is VMware vSphere. VMware vSphere and their partner ecosystem is also the most adopted virtualization platform in the enterprise today.
Recommendations Against WannaCry for Cohesity and VMware NSX Customers
- WannaCry is targeting Windows operating systems that haven’t been patched since March. This is not an entirely technology driven problem but an inefficient security and vulnerability patching operating model and procedure. Even with the right tools in place organizations may fall victims to these types of attacks all because of the lack of operations maturity and inadequate procedures for rolling out patches.
- Recommendation – do a better job arranging the roll out of patches. This is more on the infrastructure management and operations policies and procedures than anything else.
- WannaCry is exploiting a vulnerability found in the Microsoft Server Message Block 1.0 (SMBv1) Server, and it is spreading over the network. The right network and security tools can help secure and lockdown application ports and networks interfaces to eliminate the exploit being use by the cyberattack.
- Organizations using VMware NSX can easily configure NSX to block and isolate infected virtual machines automatically and prevent the WannaCry from spreading over the network by defining a security group for Windows virtual machines that can use to quarantine the state of all windows virtual machine via a system security policy.
- Use NSX Microsegmentation to block the ports that are being exploited by the vulnerability by creating a security policy at placing it at the top of the NSX distributed firewall rules.
- Create a rule blocking the following ports to prevent WannaCry from spreading:
- 137 UDP NETBIOS Name Service
- 138 UDP NETBIOS Datagram Service
- 139 TCP NETBIOS Session Service
- 445 TCP Microsoft CIFS
- Create a rule blocking the following ports to prevent WannaCry from spreading:
- WannaCry is designed to encrypt files located on infected systems. A limited time is provided before the price of the ransom to regain access to the files is increased to a larger cash amount. If the ransom is not paid the encrypted files are at risk of permanent loss. From a data recoverability perspective, organizations that are using Cohesity DataPlatform for converged data protection and recovery and other secondary storage functions can overcome the impact of ransomware cyberattacks such as WannaCry.
- Cohesity provides robust protection and recoverability capabilities against ransomware cyberattacks by keeping data (virtual machines or files) that are backed up onto the platform secure. With Cohesity backups are performed and protected via time-based snapshots and the primary backups are kept in an immutable format that is stored in logical presentation abstraction known as Views which are never exposed and inaccessible for operating system mount functions.
- As WannaCry spreads throughout an infrastructure infecting Windows virtual machines, it is only infecting the running instance of the virtual machines and not its clone counterparts. Once Cohesity has protected the Windows virtual machines, an administrator can quickly restore the infected files of virtual machines from an immutable copy of the files of virtual machines to a point in time before the virtual machines were infected. This approach is also applicable to database applications.
- WannaCry file encryption can be quickly mitigated by organizations using Cohesity because of the DataPlatform’s ability to perform near-instant recoverability and infinite recovery points due to its space and time efficient fast snapshotting capabilities.
- Below is a simulated ransomware cyberattack demonstration which showcases the effectiveness and efficiency of Cohesity by highlighting how quickly organizations can recovery from ransomware cyberattacks such as WannaCry. For more details on how Cohesity can protect organizations against ransomware cyberattacks read the article “Ransomeware meets its match in Cohesity”
We are at the precipice of the world’s digital transformation and as we digitize more information and depend on it more than ever we can expect cyberattacks that are aimed at gaining control of your data to continue happening. It is important to improve organization operating process and procedures. Look for modern solutions for patching, network, security and data management (protection, archival, retention) to help with modern threads of the digital era. VMware NSX modern networking and security features and capabilities and Cohesity’s modern DataPlatform together and individually provide significant ways to proactively and reactively eliminate the impact of cyberattack from a network, security and data accessibility and recoverability perspective but the fight will continue. Stay Alert!
For future updates about Cohesity, Data Management, Primary and Secondary Storage, Cloud Computing, Networking, VMware vSAN, vSphere Virtual Volumes (VVol), vSphere Integrated OpenStack (VIO), and Cloud-Native Applications (CNA), and anything in our wonderful world of technology be sure to follow me on Twitter: @PunchingClouds.