Patched or Unpatched? – That Is the Question

“Ransomware” may now officially be the most searched word on Google. That’s because this month, the alleged hacker group the Shadow Brokers executed yet another global ransomware attack, the ‘Petya’ attack, which manipulated many of the same vulnerabilities as the May WannaCry attack. In light of this new and worrisome wave of ransomware cyber crime, it’s time to discuss an unresolved for so many organizations – patched and unpatched devices.

A major network security pitfall in organizations of all sizes, but mainly large organizations, is that they lack visibility into which devices have been patched for the EternalBlue/EternalRomance vulnerabilities, and which devices are unpatched and are therefore prone to attacks. While Microsoft did what it could to issue the patches in time to prevent the spread of the attack, a number of devices remain unpatched, and in some cases, it is impossible for IT admins to tell if there are devices left to patch or not. There could be two reasons for this oversight: 1. The IT administrators lack appropriate network/endpoint visibility tools with compliance mechanisms such as automated patching or quarantining of rogue devices; or 2. There are unmanaged company devices accessing the network. In the case of the latter, it is impossible to tell if they have been patched or not, unless the admins make the effort of manually installing the patch updates themselves. While there is much to be said for the benefits of network visibility tools, it’s the unmanaged devices that really worry me.

Ransomware2

So how can we prevent a third massive ransomware attack? One could return to the vendor or Point of Sale of said unmanaged device and ask them to manually install the firmware, but this is a manual process and, with all of the ransomware attacks lately, these vendors are probably swamped with requests. The more logical option is to establish an active inventory of the unmanaged devices (such as BYODs) on the network so that, on the eve of an attack or, in light of suspicious activity, these devices can be automatically quarantined or blocked from the network. Another option is to perpetually place these devices in a segmented or firewalled part of the network that will limit their access to the Internet and sensitive company information. Here, it is possible to assign unmanaged devices to a guest or contractor network with limited access capabilities from the start.

Why is this so important, you ask? Because the perpetrators of the ‘Petya’ and WannaCry attacks were able to incur damage on a global scale by infiltrating vulnerabilities on one or two devices, then spreading the ransomware using freeware tools to thousands of others. It’s really the same way that worms work. This lateral movement throughout the organization can put IT admins in disaster mode – and that’s added to the fact that it takes 40% of IT teams at least two to three hours to realize they’ve been attacked!

In order to stop the ransomware bad guys in their tracks, it’s recommended to automate remediation methods to control the extent of the damage. Without this cushioning in place, hackers like the Shadow Brokers have free reign over not just one or two vulnerable devices, but the entire network, including personal devices and information attained in phishing attacks.

Let’s take the right actions this time to ensure that a third global ransomware attack doesn’t happen again anytime soon.