Content contributed by NorthStar IT

On May 12, 2017, an unpresented wave of ransomware spread via the internet hitting organizations and individuals around the world. The ransomware known as “WannaCry” quickly became front page news.  The purpose of the ransomware, developed by cyber-criminals, was to extort money. The way it accomplished this was to infect unpatched Windows PCs and encrypt 176 different file types (picture files, documents, spread sheets, video files, database files, etc.) leaving the files inaccessible. Then, to unencrypt the files, a ransom had to be paid using the cryptocurrency known as Bitcoin. Average ransom amounts started at $300 and increased incrementally over time until, at seven days, if unpaid, all encrypted files were permanently deleted from the user’s system and lost forever.

The was delivered through a hyperlink that could be embedded in emails, web page advertisements, or in a Dropbox links. If a user clicked on any of these links, the PC secretly accessed a website where the virus resided. If the PC did not have the appropriate PC patches or anti-virus software installed, the PC downloaded malicious code which then started the file encryption process and displayed the following message:

Hundreds of thousands of PCs around the world were impacted by this virus. Hospitals, banks, and telecommunications companies were some of the hardest hit industries.

(CLS, Orion, and The Gemini Companies) avoided this outbreak. But how?

At NorthStar, before any computer traffic enters the network, it has to pass through a series of hardware devices and software which closely inspects all bits and bytes for malicious content. Based on very complex and sophisticated rules, logic, and algorithms, some traffic is blocked outright, some is quarantined for review, and the rest is allowed onto the network. However, even with these tools in place, it is possible for new variants of malware to come up and make it past these tools. In the event something does slip through our perimeter defenses, NorthStar also has tools that reside on servers, desktop PCs, and laptops to contain and mitigate any compromise. These tools add an additional layer of protection to detect, prevent, quarantine, and clean malicious content from end-point devices (PCs, Laptops, SmartPhones, etc.).

For those who are interested in technical details, below is a list of many of NorthStar’s security tools and what they do:

• Email Security Gateway: this product scans all inbound emails and searches them for malicious attachments and embedded links that could take users to malicious sites. If found, the software will quarantine the emails for review or outright delete them if known to be malicious.
• Intrusion Detection\Intrusion Prevention Systems (IDS\IPS): These systems inspect network traffic at a very low level (bits and bytes). Upon detection of suspicious content, they will automatically block it before it can enter NorthStar’s systems. In addition, these systems filter out traffic from specific geographical locations known to be the source of malware (e.g. Russia, Iran, etc.).
• Advanced Network Anti-Malware: These systems scan for and detect attacks and malicious network packets as well as command and control communications. “Command and control communications” is when malware communicates back to a home base for additional attack code or content. WannaCry is an example of malware that uses command and control communications.
• Web Filtering: Web filtering programs block access to sites that have known malicious content. NorthStar’s web filtering software is actively updated with lists of malicious sites, so as soon as any site is registered or detected to have the ability to spread malicious content, it is automatically updated and will block users from accessing those sites.
• Advanced EndPoint Anti-Malware: This is advanced anti-malware tools installed on the (PC installed). It works similarly to and in conjunction with NorthStar’s Advanced Network Anti-Malware, but on the PC level as opposed to the network level.
• Anti-Virus Software: This is a traditional anti-virus program which actively scans and monitors traffic to and from each PC looking for malicious software. In addition, the software utilizes traditional virus scans of a PC’s local hard drive to detect anything that might be on the hard drive, but not active.
• Log Collection: This is a system which collects and analyzes PC, server, and network logs looking for questionable activity WITHIN the internal networks searching for activity that could get in via an internal source like a PC USB port, a DVD, or personal computer plugged into a company network port (which is strictly forbidden in our Employee Policy Manual).
• NorthStar also has robust data recovery tools that can be used to quickly recover systems and data if such an attack like this was successful and original files needed to be restored.

In addition to having the above tools in place, NorthStar ITOC took the following additional steps and precautions when the WannaCry outbreak was discovered:

• NorthStar double checked that the appropriate Microsoft patches were installed which stop this virus.
• NorthStar enabled Snort Rule 42340 – A new rule for our IDS\IPS systems which was developed to stop WannaCry once it was detected and started spreading.
• NorthStar confirmed firewalls were blocking malicious traffic on the specific ports\channels the virus communicated over.
• NorthStar confirmed TOR network blocking – TOR is an external anonymous network that is notorious for spreading malicious content, so we doubled checked our settings to make sure we were blocking this traffic.
• NorthStar confirmed all Advanced Malware Protection systems and software had been updated to detect this ransomware signature.
• NorthStar confirmed the email security gateway was scanning for this specific

As you can see, NorthStar takes cybersecurity very seriously. From the technical tools in place to the audited and certified ISO 27001 processes and controls, NorthStar is committed to investing the necessary time and money for industry leading technology, processes, and people.

2709-CLS-7/12/2017