The intensity of the WannaCrypt ransomware attack has dissipated but fear still looms large. As such, many organizations have issued an advisory in response to this threat. They believe it will help the organizations run a secure infrastructure for their customers and also protect their organization from such attacks in future. Microsoft too, suggests its customers practice caution and follow the 8 steps outlined in a Microsoft Azure blog post to stay protected against the ransomware attack, WannaCrypt.
The advisory addresses users who are either slow to respond or complacent about security. Microsoft believes all Azure customers should follow these 8 steps as both, precautionary and mitigation strategy.
Steps for Azure customers to avert WannaCrypt Ransomware Threat
Preliminary findings reveal that WannaCrypt malware exploits a Service Message Block (SMB) vulnerability (CVE-2017-0145) found in the operating system of computers. As such, customers should install MS17-010 right away to resolve this vulnerability.
Second, to prevent any event of misfortune, review all Azure subscriptions that have SMB endpoints exposed to the internet, commonly associated with ports TCP 139, TCP 445, UDP 137, UDP 138. Microsoft warns against opening any ports to the internet that are not essential for your operations. For disabling the SMBv1 protocol, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Leverage the capability of Azure Security Center to verify that anti-malware, and other critical security controls, are properly configured for all of your Azure virtual machines and are in up and running condition. To view the security state of your resources, access the ‘Prevention tile visible under the ‘Overview’ screen of Azure Security Center.
Thereafter, you can check the list of those issues in the Recommendations tile as shown in the screenshot below.
The best strategy to stay protected against any unwanted threat is to regularly update your machine. Windows users can access Windows Update to check for any new security update available and install them instantly to keep their machines up-to-date. For users running Azure Cloud Services, automatic updates are enabled by default, so no action is required on their part. Moreover, all Guest OS versions released on March 14th, 2017 and later feature MS17-010 update. The update resolves any vulnerability found in SMB server (primary target for WannaCrypt ransomware).
If needed, you can view the update status of your resources on an on-going basis via Azure Security Center. The center continuously monitors your environment for threats. It combines Microsoft global threat intelligence and expertise, with insights into cloud security-related events across your Azure deployments, thereby keeping all your Azure resources safe and secure. You can also use the center to collect and monitor event logs and network traffic to look for potential attacks.
NSGs a.k.a. as Network Security Groups contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM instances in a Virtual Network. So, you can use Network Security Groups (NSGs) to restrict network access. This, in turn, can help you reduce exposure to attacks and configure NSGs with inbound rules that restrict access to only required ports. In addition to the Azure Security center, you can use network firewalls of reputed security firms for providing an additional layer of security.
If you have other anti-malware installed, confirm that is deployed correctly and updated regularly. For users relying on Windows Defender, Microsoft released an update last week which detects this threat as Ransom:Win32/WannaCrypt. Other anti-malware software users should confirm with their provider for providing round the clock security.
Finally, it is often a remarkable resilience that exhibits one’s resolve in recovering from adverse conditions like recovery process from any compromise. This can be reinforced by having a strong backup solution in place. So, it is essential to configure backups with multifactor authentication. Fortunately, if you are using Azure Backup, you can recover data when your servers are attacked by ransomware. However, only users with valid Azure credentials can access the backups stored in Azure. Enable Azure Multi-Factor Authentication to provide an additional layer of security to your backups in Azure!
It seems Microsoft cares much about the data security of its customers. Hence, prior to this, the company also released customer guidance to users of its Windows XP OS after many of its customers became victims of the global WannaCrypt software attack.