EternalBlue, RobbinHood and How to Protect Your Organization Against Ransomware Attacks

In recent weeks, key IT systems and services in numerous city and state governments across the U.S. have been effectively shut down by a ransomware known as RobbinHood which takes advantage of the EternalBlue exploit. Over the Memorial Day weekend, it was widely reported that the city of Baltimore, Maryland joined the growing list of ransomware victims that includes Atlanta, Georgia, Cleveland, Ohio, Albany, New York, Greenville, North Carolina, Allentown, Pennsylvania, and San Antonio, Texas. EternalBlue is a tool originally developed by the NSA, that was stolen by cyber criminals in April 2017 and has since been used in several large-scale ransomware attacks including: WannaCry in May 2017 (total estimated damage: $4 billion), NotPetya in June 2017 (total estimated damage: $10 billion) and now, RobbinHood.

PREPARE NOW - THERE IS ABSOLUTELY NO REASON TO EXPECT CYBERCRIMINALS TO NOT PIVOT THESE RANSOMWARE ATTACKS FROM THE GOVERNMENT SECTOR TO BUSINESS AND INDUSTRY.

Even though attacks thus far have been in the government sector, cyber criminals could just as easily begin targeting business and industry with similar attacks. Here are 7 steps you should take TODAY to protect your organization against these threats:

1. Patch vulnerable systems. MS17-010-Critical (Security Update for Windows SMB Server) was published in March 2017. Vulnerable operating systems include Windows Server 2016, Windows Server 2012 (and R2), Windows Server 2008 (and R2) Windows 10, Windows 8.1, and Windows 7.

2. Use Exchange transport rules to protect users against emails with attachments vulnerable to ransomware. Many ransomware attacks leverage macros or executables in email attachments to infect their victims' devices. Exchange transport rules can be used to protect your users by:

• Warning users about the risk of macros if they receive any file attachments with file extensions that support macros.
• Tracking users who have received a file extension that support macros.
• Blocking mail that allows users to run macros (especially legacy file extensions like .doc) or are executables.

3. Enable Microsoft Active Protection Service (MAPS) cloud-based protection (if you are using a Microsoft antivirus solution). Microsoft Active Protection Service (MAPS) is a cloud-based service that will provide greater malware protection through cloud-delivered malware-blocking decisions and leverage the latest ecosystem-wide detection techniques offered through the cloud. To learn more about MAPS and how to enable it, see the "MAPS in the cloud: How can it help your enterprise?" blog post.

4. Educate your users. Providing security awareness training to your users is a good practice and can be used as an effective prevention mechanism. If users are able to identify security threats such as ransomware, they will be less susceptible to the threat. Also, educating users on how to react to a security incident or if their device has been infected with ransomware will make the recovery process less costly and minimize the risk of spreading the infection. You must create a culture that values and prioritizes the security of your organizational data. Valorem Reply offers a Secure Culture Assessment (SCA) that can help you identify end user risks so you can develop a change management plan that makes an impact.

5. Mitigate against phishing emails and malicious attachments. Encourage users to be careful when opening emails and look for phishing indicators, especially if it contains a potentially malicious attachment (such as .exe, .js, .vbs, .ps, and Office document types that support macros). Leverage technology to help, read "How to review and mitigate the impact of phishing attacks in Office 365" to learn more.

6. Keep anti-malware solutions running and up to date. Installing an antivirus solution like Windows Defender and keeping it up to date will prevent many instances of ransomware and malware from affecting your organization. Windows Defender will help protect your users and proactively remove many known ransomware attacks.

7. Use OneDrive for Business. OneDrive for Business can be used as a protection mechanism against ransomware. If your organization utilizes OneDrive for Business, you can recover any files stored there in the event of an attack.

The stakes for cyber security are only getting higher as new technology makes way for new digital threats. One of Valorem Reply’s core capabilities is helping customers to establish a more robust cybersecurity posture. If you aren’t sure how or where to get started in identifying and reducing gaps in your organizational security, our experts can help. Reach out today to learn how Valorem can help your organization establish and execute a modern cybersecurity strategy. Or ask about our Cybersecurity Assessment and other solutions that can help you execute on your security goals!