In light of the ransomware incident that has impacted severely on organisations internationally, including the NHS, Atomwide offer the following advice and guidance to our customers to help you keep your networks secure. If you are not currently an Atomwide customer you may also find this information useful in line with your own strategies to protect against such cyber-attacks.
The malware responsible for the attack is a ransomware variant known as ‘WannaCry’. The malware propagates over TCP port 445 (Server Message Block/SMB), compromising hosts and encrypting files following which a ransom payment is demanded in the form of Bitcoins. The ransomware is designed to attack a vulnerability in the Windows Operating system that was patched by Microsoft in March 2017.
How is Atomwide mitigating the risk of infection across its customer base?
Atomwide maintains a highly secure network, on behalf of its customers, where there are multiple layers of firewalling implemented. In addition, there are services deployed that actively monitor traffic on networks looking for weaknesses, or misconfigured services from within a subscribing establishment, that could be used to compromise the integrity of your network.
All Atomwide customers, whether contracting directly or via LGfL/TRUSTnet, should act promptly and never ignore a support case alerting you of a vulnerability; the Atomwide Service Desk is available for advice and guidance should there be any doubt with the enabling of services external to your network.
Server Message Block/SMB
The Atomwide Service Desk has conducted a review of all network rules. A Support Announcement was sent to all establishments where we identified open SMB shares between other connected establishments. If you received Support Announcement 282152, the advice is to conduct a review of your firewall rules to ensure that all configured access is still required. Reducing the number of SMB connections between your organisation and other connected organisations will significantly reduce the risk of compromise.
It is vital to ensure that your establishment has a patching policy in place that prioritises the install of critical patches released by vendors. As a priority, ensure all Windows devices have patch MS17-010 installed (released March 2017). For our school customers connected via LGfL/TRUSTnet this patch is available on the LGfL WSUS servers for Windows operating systems, including XP. LGfL provides a WSUS service that can be used to patch Windows Operating Systems in your school, for more information on how to use the service please contact the Atomwide Service Desk.
As the role of technology in everyday use both personally and professionally increases, and with ransomware attacks on the rise, the secure storage of data becomes even more critical. The secure, automated and regular backup of all critical data to an offsite storage location is highly recommended and should be part of any establishment’s disaster recovery plan. When deploying a remote backup solution, backup files should not be accessible by machines which are at risk of being infected by ransomware. Atomwide currently manages over 1.3 Petabyte’s of remotely backed-up data across over 800 individual establishments. For more information on our remote backup services please visit our web pages – http://atomwide.com/gridstore/default.htm
All of our LGfL/TRUSTnet customers have Sophos Intercept X available to them as part of their LGfL/TRUSTnet subscription. Intercept X is specifically designed to help prevent the malicious encryption of data by ransomware. If you are an LGfL/TRUSTnet school and have not yet deployed Intercept X, please raise a support case via the Service Desk so that steps can be taken to have your computers and files protected.
WebScreen Internet Filtering
A ‘kill switch’ was discovered in the WannaCry variant that prevents the malware from executing. It is thought the kill switch was originally designed to prevent the malware from being analysed within a closed sandbox environment. Access to the kill switch URL has been permitted for all of our WebScreen customers, under no circumstances should the URL be blocked in your WebScreen policies. Due to the nature in which WebScreen continually gathers web intelligence, ‘crowd sourced’ in real time from our 3,000+ real world customers, education-focused custom categorisation is added to the entire delivery platform in situations like this without having to wait on AI systems for updates and interim decisions.
More detail on the kill switch can be read on the National Cyber Security Centre website – https://www.ncsc.gov.uk/blog-post/finding-kill-switch-stop-spread-ransomware-0
More information on the WebScreen internet filtering service can be found at – http://atomwide.com/webscreen/default.htm
Awareness and Reporting
A program of education and awareness training for all staff within your establishment should be implemented to ensure users do not open attachments or follow links in suspicious emails. If your school makes use of the LGfL/TRUSTnet private cloud hosted email platform, StaffMail, and should there be any doubt over the validity of an email, it is highly recommended that the email is reported through StaffMail’s unique ‘Report as Spam’ feature. A positive report of an email containing malware from a single user in any school has a direct benefit to all schools within the LGfL/TRUSTnet community as that email is firstly, as a matter of urgency, removed from StaffMail and in addition, measures are put in place within MailProtect to prevent the same email variant from being received by others.
All establishments who make use of MailProtect but maintain their own internal mail system benefit too from the measures implemented in MailProtect. More information on MailProtect can be found at – http://atomwide.com/mailprotect/default.htm
Finally, and for interest, the NY Times has produced an animated graph of the infection spreading which is based on data from a researcher that was tracking the outbreak. https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html?_r=0.
Please remember, if in any doubt, the Atomwide team will be more than happy to help.