First and foremost: backups. Test them. Make sure the restore is what you need it to be.
Have an Incident Response plan in place specific to cyber and ransomware. Have a DRP that is specific to this. Designate one person, one, to be your crisis spokesperson because not everyone should have the talking stick.
I have taken this directly from the National Cyber Security Center in Britain, which suffered a big hit to its hospitals with WannaCry:
For Home and Small Business Users:
To update your version of Windows:
Note: We strongly recommend that you do not continue to use unsupported operating systems, but instead upgrade to one which receives regular security updates from the vendor.
2. Run antivirus
- Make sure your antivirus product is turned on and up to date. Windows has a built in malware protection tool (Microsoft Defender) which is suitable for this purpose.
- Run a full scan to make sure your computer is currently free of all known malware.
3. Keep a safe backup of your important files
- Regularly create a backup copy of your important files (such as photos, documents, and other files that can’t be replaced). If you have backups of files that you can recover, you can’t be blackmailed.
- Make sure that this copy is kept separate from your computer. If it’s on a USB stick, or a hard drive, or on any type of removable media, do not leave it connected (or anywhere on your network) or it may also be attacked by ransomware.
- You should consider using cloud services to back up your files. Many cloud service providers (for example, email providers) offer an amount of cloud storage space for free.
What to do if you get ransomware:
If a small business has been a victim of ransomware and are worried about the infection spreading to other parts of your network, these steps may help guide your actions:
- Immediately disconnect you computer, laptop or tablet from network. Turn off your Wi-Fi.
- Safely format or replace your disk drives.
- Whilst you’re still disconnected from your network, directly connect this computer to the Internet.
- Install and update the operating system and all other software.
- Install, update, and run antivirus software.
- Reconnect to your network.
- Monitor network traffic and/or run antivirus scans to identify if any infection remains.
Files encrypted by the WannaCry attack have no way of being decrypted by anyone other than the attacker. Don’t waste your time or money on services that are promising to do it.
The NCA encourages industry and the public not to pay the ransom. If you do:
- There is no guarantee that you will get access to your data.
- Your computer will still be infected unless you complete extensive clean-up activities.
- You will be paying criminal groups.
For Enterprise and Larger Organizations:
Deploy the patch for MS17-010 on Windows systems
If you are running a supported version of Windows and have been applying patches automatically from Windows Update as recommended by the NCSC, then you should already be protected against this malware.
If updates have not been applied automatically, the patch for this specific vulnerability can be found at https://technet.microsoft.com/en-us/library/security/ms17-010.aspx or via Windows Update for currently supported operating systems.
For legacy platforms such as Windows XP, Server 2003 and Windows 8, an out-of-band patch has been made available by Microsoft. This patch cannot be applied via Windows Update, and must be installed specifically in this case. This patch is available from https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks
If it is not possible to apply this patch, disable SMBv1
As SMBv1 is a vector by which the malware spreads, this can be disabled to prevent further infection if specific systems within an organisation become affected. Guidance for Windows systems is available at https://support.microsoft.com/en-us/help/2696547
If the above is not possible, you may be able to block SMBv1 ports on network devices and host-based firewalls on workstations. These ports are:
- UDP: 137 and 138
- TCP 139 and 445
If this is not possible, isolate the use of legacy technology as much as possible within your organisation
If it is not possible to completely disable SMBv1 or apply the necessary patches, then the devices still vulnerable to MS17-010 should be isolated within your enterprise network to the maximum extent possible. The use of network segregation techniques, other approaches for minimising the chances of compromise, and limiting the subsequent harm, are described in the NCSC’s guidance for obsolete technologies.
Ensure antivirus products are updated
Antivirus vendors are increasingly able to detect and remediate this malware, therefore ensuring that any on-host and boundary antivirus products in use within your organisation are up-to-date with will likely provide additional protection.
Work done in the security research community has prevented a number of potential compromises. To benefit, ensure that your systems can resolve and connect on TCP port 80 to the following domains:
Unlike most malware infections, you should not block these domains. Note that the malware is not proxy aware so a local DNS record may be required. This does not need to point to the internet, but can resolve to any accessible server which will accept connections on TCP port 80.
As variants of WannaCry emerge, additional domains and alternative command-and-control mechanisms are being observed. Additional information can be found on the Cyber Security Information Sharing Partnership (CiSP) platform.