Many news sources are reporting on this worldwide "ransomware" cyberattack which has wreaked havoc in hospitals, schools and offices across the globe on Monday. Over 200,000 cases in 150 countries have so far been affected in an unprecedented ransomware attack.
These computers were affected by malware known as WannaCry(pt), which encrypts a computer or server, locking all of the files on it, and demands a $300-600 ransom before unlocking it. The malware was able to spread thanks to flaws in old versions of Windows that were originally used by the NSA to hack into PCs before being made public. Just one click on an infected attachment or bad link could lead to all computers in a network becoming infected.
How it works:
- Source -- Typically an email is sent with a social engineering attempt to trick users to run the malware ie a fake FedEx email containing tracking information in a PDF or ZIP file
- Execution -- Opening of the attachment runs the code that will attempt to install and exploit the computer
- Damage -- WannaCrypt encrypts ALL files it finds and renames them by appending .WNCRY to the file name.
- Spread -- The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers.
On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. The fix for this vulnerability had been posted by Microsoft back in March. Unfortunately, the ransomware, known as WannaCrypt, appears to have affected computers that have not applied the patch for these vulnerabilities. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches.
LeadingIT had deployed this critical patch to all of our clients in a timely fashion back in March with our remote management tools.
New variants of the rapidly replicating worm were discovered Sunday. One did not include the so-called kill switch that allowed researchers to interrupt the malware's spread Friday by diverting it to a dead end on the internet.
How to stay safe against these kinds of attacks:
- Keep computers and servers up to date -- newer versions of Windows and other software ensure your network is better protected
- Consistently and continuously patch and update -- Microsoft and other software vendors typically push out updates monthly
- Remove administrator privileges -- this best practice stops 95% of malicious software from running
- Protect your network in layers -- having a multi-layer security approach can help to stop these issues at various points. SPAM filtering can block malicious emails, firewalls can block malicious links, DNS filters can block negative traffic, AV software can block programs etc
- Backups, backups, backups -- not all backups are created equal. You need a proper backup and disaster recovery system that allows you to recover files from less than one hour ago.
While we were well prepared and kept our clients safe in this latest event, technology is never perfect. While your technology provider can implement a multitude of protections, they cannot protect against everything; making end user education, caution and diligence so important.
Find out why you should trust us to protect your business or organization from attacks like this.