The WannaCry Ransomware Issue

PCI DSS principles to mitigate the spread of ransomware

The recent, and still highly impactful, discovery of a new malware variant named “WannaCry” is a hot topic in the news right now. This new malware combines ransomware with an exploit that has replication capabilities to allow one computer within an organization to spread the exploit to other computers with connectivity within the organization. This threat is fast moving and exploits a known flaw in the SMB service functionality included with all Windows operating system versions.

The PCI DSS principles for network segmentation, patching, anti-malware, system hardening, and vulnerability management are effective at mitigating the spread and/or initial infection of malware, including WannaCry. Below is an overview of how the PCI mandated controls can help protect your organization from this threat:

1. Requirement 1 – Network segmentation, restrictive access lists, and isolation controls will effectively stop the threat from spreading by limiting any exposure to the subnet and segment which it occurs. Further, the application of intrusion prevention and detection signatures (like snort) will allow organizations to detect the presence of these threats before it’s been able to spread.
2. Requirement 2 – Platform and service hardening requirements should restrict the protocols and services in use on hosts. Many system configuration standards recommend enabling SMB signing requirements as well as SMB protocol level hardening. These steps would make it more difficult for SMB exploitations to occur on an information system.
3. Requirement 5 – Anti-virus and anti-malware requirements should facilitate the detection of the SMB exploit as well as the presence of any malware written to disk. Next generation end-point software packages may be able to detect and prevent the execution of the SMB exploitation or of the ransomware payload. Requirements to keep these defenses up-to-date ensures that active threats are quickly detected if not fully prevented.
4. Requirement 6 – Patch management requirements mandate that vendor patches are installed within 30 days of release and that all platforms in use should be supported to receive security patches. The exploit used in the WannaCry malware was patched in March 2017 under Microsoft Security Bulletin MS17-010. Following this patching guidance, or installing patches even more frequently, is a demonstrably effective method to mitigate this risk.
5. Requirement 11 – Vulnerability scanning activities would detect systems where the MS17-010 patch is not applied to ensure that all information systems have effective patch management processes in place. We would recommend updating your internal vulnerability scanning software and executing a scan as soon as possible to detect any Windows platforms still at risk.

In summary, the PCI DSS requirements and overall configuration principles are effective at preventing many types of malware, ransomware, and other unknown cyber attacks. We highly recommend implementing these principles on all computers in your organization to protect against the likely occurrence of future wormable exploits such as the SMBv1 vulnerability exploited by “WannaCry.”

If you have any questions regarding ransomware, network security or other compliance or security concerns, please feel free to reach out to us at security@compliancepoint.com or (855) 670-8780.