- Block SMB port access and RDP (Remote Desktop Protocol) to all computers from the internet. Port 445 and 139 for SMB and 3389 for RDP should be blocked.
- Block SMB for the time being within the company through a group policy or other endpoint security solution.
- Stop granting any privilege escalation requests to users who want to run an unknown program as an administrator.
- Ensure all windows OS and Microsoft software are patched especially the MS17-010. Any unsupported or outdated operating systems should either be upgraded or re-configured to stop SMB and RDP.
- Issue a notice to all employees to not open unknown attachments and emails and if in doubt read emails on their mobile devices without opening the attachments.
- Disable office macros through a group policy.
- Make sure all backup solutions are safe guarded. Encourage users to backup their data immediately on a removable and encrypted hard drive and keep it in a safe place and not connected to the computer. No IT administrator or employees should have backup drives mapped to their computers with write access. Only the backup software should have a unique user account with write access to the backup media and users should only have read access to backup media.
- Make sure each endpoint and server has latest version of a reputable endpoint security solution with latest definition updates.
- Enable scanning of all attachments at your endpoints and email gateways. See a list of file hashes and IP addresses to block and observe at the end of this advisory.
- Disable uPNPon all your gateways, firewalls, routers and proxy servers.
- Disconnect from the internet and take a backup of all your data on an encrypted, removable hard drive. Disconnect the hard drive and keep it at a secure location after the backup is completed.
- Do not open attachments from unknown sources and do not download or open unauthorized software.
- Do not check your personal email on company computer as most free email services will not have advanced security scanning of attachments.
- If you suspect any unusual hard drive activity on your computer, immediately shut it down and notify your IT administrator.
- Do not enable macros on office documents and watch out for warnings and alerts
For IT Administrators
- Disconnect all network shares from idle computers and servers.
- Recheck network shares with write permissions.
- Change passwords of and safeguard all common domain administrator accounts and refrain from logging in using these accounts. Use these accounts to only authorize specific actions as per standard operating procedures.
- Make sure backup solutions provide write access to only accounts that are hard configured in the backup solution.
- User accounts should only have read access.
- Enable volume shadow copy if possible through group policy and enforce it.
- Update the endpoint security solution and enable anti-malware or anti-ransomware modules.
- Prevent privilege escalation of unknown programs and processes.
- Create a manual signature on your endpoint security solution and monitor for file hashes and extensions specific in this advisory. In case of any such findings on a user computer, disconnect it from the network and shut it down.
- Call for the incident response team to deal with the situation and plan for a procedural approach before applying an unverified solution from the internet.
Add new comment