Author - Tushar Vartak, Director Information Security, Rak Bank
Since 12th Apr 2017, a Ransomware exploiting MS17-010 has been wreaking havoc worldwide.
Precautions to be taken:
1 - Patch Management
- Ensure all Workstations and Servers have the latest Microsoft patches, especially the ones related to MS17-010.
2 - Antivirus
- Ensure AV signatures are updated on all assets. Identify critical assets and target them first. Block IOCs on AV solution.
- Get the details with regards to the name of the malware and verify if this malware has been detected in the logs for last 1 week.
3 - IPS
- Ensure IPS signatures are updated. Verify if the signature that can detect this vulnerability / exploit attempt is enabled and is in blocking mode.
- Get the details with regards to the name of the Signature and verify if this Signature has been detected in the logs for last 1 week.
4 - eMail Gateway
- Ensure eMail Gateway solutions has all relevant updates for detecting possible mails that may bring the Trojan in the environment.
5 - Proxy
- Ensure Proxy solution has updated database. Block IOCs for IP Address and Domain names on the Proxy.
- Verify last one week logs for the IOCs on Proxy and take action on sources of infection.
6 - Firewall
- Block the IP addresses on Perimeter Firewall.
- Verify logs for last one week.
7 - Anti - APT Solutions
- Ensure signatures are up to date.
- Check for possible internal sources of infection and take actions.
8 - SIEM
- Check logs to verify if any of the IOCs have been detected in 1 week logs.
a - If required, raise case with OEM for getting details
b - All changes to follow proper approvals and change management process