Manage Learn to apply best practices and optimize your operations.

Latest Windows ransomware attack exposes hard truths

Now that the aftershocks from the WannaCry ransomware outbreak have subsided, I think we can distill everything we’ve learned into a nutshell: It’s all the systems administrators’ fault.

Forget the National Security Agency, the developers of the EternalBlue exploit, and the hackers who packaged the Server Message Block version 1 (SMBv1) vulnerability into ransomware. Blame IT for all the trouble that affected, at last count, more than 400,000 Windows machines worldwide.

After all, when WannaCry — also known as Wcry and WannaCrypt — launched on May 12, Microsoft had already addressed the SMBv1 exploit in March when it issued patches for security bulletin MS17-010. Most IT shops patch immediately, right? And they all follow best practices? And run the latest operating systems?

It’s convenient to find a scapegoat and point the finger at the beleaguered sys admins — the same people who worked untold hours to patch numerous systems before users returned to work after the May 13-14 weekend — because the patch to suppress the attack was already three months old.

WannaCry hit England’s National Health Service particularly hard. Patients scheduled for surgeries and other medical procedures had to leave hospitals until the IT teams could free encrypted files held hostage by the ransomware. According to The Guardian, about 90% of the NHS’ systems are Windows XP, which Microsoft dropped from support in 2014.

A screenshot shows the message the WannaCry ransomware displays after it has encrypted the user's files. The Windows ransomware requests $300 in bitcoin to decrypt the files.

A screenshot shows the message the WannaCry ransomware displays after it has encrypted the user’s files. The Windows ransomware requests $300 in bitcoin to decrypt the files.

This example illustrates the secret lives of sys admins. In the theoretical world, anything and everything is possible. It’s a magical place where IT’s budget is sufficient and sacrosanct, and the latest Windows operating system rolls out the moment it becomes available.

But the reality is that many administrators work in what we can diplomatically refer to as less-than-ideal situations. They have spotty networks, outdated hardware and not enough time to get everything done. These sys admins must find a way to protect the company that relies on a line-of-business application that runs on an unsupported operating system that cannot be upgraded or else the software vendor will drop its support.

In recognition of the gravity of the WannaCry attack and the pain of numerous organizations, Microsoft took the unusual step to provide WannaCry fixes for several legacy operating systems. Short of waiting for Microsoft to come to the rescue, what can administrators do to shore up defenses before the next Windows ransomware attack?

Lock systems down
Educate yourself. Follow security professionals on Twitter, read Microsoft TechNet blogs related to security and check other security blogs. Learn where your vulnerabilities are and plug holes whenever possible.

Microsoft’s Ned Pyle has blogged about the looming troubles for administrators who leave the SMBv1 enabled. The United States Computer Emergency Readiness Team, among other security sites, has long recommended administrators block the ports that give SMBv1 internet access.

A short PowerShell command can disable SMBv1, but that doesn’t help with older OSes including XP and Windows Server 2003 that require SMBv1 to function. Ideally, an organization will upgrade to a supported operating system or air-gap those machines.

Apply updates ASAP
Verizon’s annual Data Breach Investigation Report (DBIR) provides several takeaways regarding the daily threats faced by various industries.

In the 2017 DBIR, the company recommended that organizations apply security updates in a timely fashion and check that all systems have the most recent application updates.

As the WannaCry outbreak demonstrated, a patch for affected supported operating systems is effective only if IT actually applies it shortly after availability. If your organization updates machines once every three months, it might be time to rethink your patching processes.

Use PowerShell for a rapid response
A small PowerShell script could pull hundreds — or thousands — of computer names out of Active Directory and query them to quickly check whether they contain security updates related to the MS17-010 security bulletin.

PowerShell is more than 10 years old, and Microsoft continues to pour significant development resources into this scripting and automation tool. There’s a bit of a learning curve with PowerShell, but a sys admin who builds proficiency with its cmdlets can wield tremendous influence over the data center, particularly one that hosts a wide range of apps and systems. This type of expertise can save hours of work when the next Windows ransomware epidemic hits.

Make bulletproof backups
If ransomware does slip past the defensive perimeter and encrypt critical data, organizations should have a solid backup plan in place to overcome this setback.

One common plan is a “3-2-1” system: Keep three copies of the data; store two copies of the data on different storage types, such as a networked-attached storage device and external drives; and place one copy of the data offsite. Test the restore procedure before disaster strikes.

We all know that sys admins do the best they can under difficult circumstances. Are you thwarted by too many tickets, not enough personnel, inadequate budget — or a confluence of multiple issues? Comment below to tell us about your pain points.

Tom Walat is the site editor for SearchWindowsServer. Write to him at [email protected] or follow him @TomWalatTT on Twitter.