So you machine is infected, what can you do?
- Find all the machines vulnerable to MS17-010. This can be done using scanning tools or wholesale apply the patch to all machines.
- On the infected machines, don't pay the ransom - Research suggests that payment will get your files back two thirds of the time.
- Try the WannaCry decryption tool and skip to step 5 on.
- If the decryption tool fails, re-install your operating system - remembering to patch it.
- Install a good malware protection solution, switch on real-time updates and update it.
- Scan your machine with your newly installed and updated malware protection software.
- Re-install essential applications, remembering to check for patches, and switch on auto updates.
- Copy back data from backups, remembering to scan it as you do. One of your backup files could be infected.
- Create a standard user account for general use, and keep the administrator account for configuration changes only. Although WannaCry did not need administrator credentials, other ransomware does.
- Consider Application Whitelisting to ensure only known applications are able to execute on your machine.
- If you existing firewall allows it, switch on web filtering to prevent traffic to known malicious sites.
- Consider using an IPS (Intrusion Prevention System) to protect your network.
- A Web Security Gateway to monitor and prevent traffic to malicious websites, and sandboxing to scan unknown packages.
- An Email Security Gateway can monitor and scan emails, working in combination of a sandbox to scan unknown attachments, and a Web Security Gateway to validate URLs within emails. Although email was not the delivery mechanism for WannaCry, it is for pretty much 90+% of ransomware.
- Check existing backups and/or start doing backups.
Planning for the future
- User training is important, but it must be remembered that WannaCry 2.0 wasn't propagated by email and didn't require user interaction to install or spread.
- Ensure an open policy for users to report to IT Teams or Information Security Teams with any suspicious behaviour on their machines.
- Test the environment with simulated attacks to ensure the People, Process and Technology work hand in hand together.