Ransomware & Incident Response: Thoughts from WannaCry, WannaCry2, & WannaCrypt0r

Lots of content has been created for detecting & dealing with ransomware; however, these past few days have seen a flurry of different attacks & thus require some specific after-action reports (AAR).

So, here are some observations / thoughts / notes:

• Many orgs do not have the budget to ward off ransomware, including: 
• Advanced threat protection (ATP) via: EDR, UBA / UEBA, UTM / NGFW / NGIPS / NGIDS
• Virtualization to segment legacy tech: SDN, SDS, hyperconvergence
• SIEM & TI
• SETA & CSIRT awareness notifications were slow & ineffective
• Close the patching gap....no more excuses
• We'll see this level of pandemic / infestation again...this is just a start.

So, folks will see this level of attack again & its up to them to be proactive & respond accordingly.