May 18, 2017
Datto Partners Evade WannaCry Attack with Proactive Montitoring
Despite affecting over 200,000 businesses in 150 countries, WannaCry hasn’t had a significant impact on the Datto partner community. Currently, we have zero confirmed cases of WannaCry infections.
This success is largely due to the proactive nature of Datto partners and how they have leveraged the Datto solution to keep their client’s data protected.
Matt Massuch, Director of Tech Support at Datto says this was one of the key aspects of why so few Datto partners had to deal with and restorals as a result of WannaCry. “Our partners have a regimented schedule when it comes to applying patches and keeping their clients educated and prepared. They likely pushed this out to their end users as soon as it was issued by Microsoft,” he said. “This event has highlighted how important managed service providers (MSPs) are to protecting data and handling IT needs for businesses,” he added.
As Microsoft has said, this is a major wake-up call for the cybersecurity world. Not only that ransomware is a massive threat for all businesses, but of the importance of updating software and ensuring patch releases are applied. “The fact that this was so severe that Microsoft issued a patch for Windows XP and Windows Server 2003, it shows what a huge deal this is. Those systems have been out of official support for quite some time,” said Massuch.
According to Emily Glass, Customer Experience Officer, the WannaCry attack reinforced the need for proper preparation. In addition to patches, Glass highlighted the importance of ensuring Datto features like Screenshot Verification and Backup Insights are working properly and are tested regularly.
In the unfortunate case that you are infected with ransomware, it’s important to stay calm. Once you have isolated and quarantined the infected machines, determine when the infection started to find the correct backup to pull from. Thanks to Datto’s Ransomware Protection and Recovery Solution, partners can quickly and easily determine the right point-in-time to restore to. We recommend backing up at least every hour and running automated tests nightly. Longer term, you can manually test restore operations to prepare for something as terrible and pervasive as WannaCry, other ransomware, human error, or natural disaster.
In addition to the tips we’ve outlined, the US Department of Homeland Security advised the following precautionary measures:
Test your backups to ensure they work correctly.
Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
Scan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.
Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications.
Develop, institute and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
Have regular penetration tests run against the network, at least once a year. Ideally, as often as possible/practical.
Whitelist outbound connections to limit what connections can be made to the Internet. Most ransomware has to call home to get the encryption algorithm, and if that communication is stopped, encryption is averted.
If you’re interested in learning more about WannaCry, head over to our information page with everything you need to know about this strain of ransomware.