This past weekend hit the world like a pile of bricks as nearly 100 countries were hit with the ransomware, WanaCry (or WannaCry, as many are prone to calling it). This malicious ransomware, like a worm, spreads on its own. Targets are met with a ransom screen that demands $300 in bitcoin as a ransom within the first three days, lest the ransom be doubled up to $600. If the payment hasn’t been received within a week, your files are deleted and gone forever. WanaCry or WannaCry (hereafter to be interchangeably used) has mainly been targeting European countries, though the numbers are about to reach 300,000.
So how did something this crippling take over not just a few, but a large chunk of the world’s computers? It didn’t happen overnight as we can trace it back to EternalBlue, allegedly an NSA exploit code leaked to the public last month. This exploit targets the SMBv1 protocol to take over vulnerable machines, and although Microsoft already patched the flaw in March, not all PC owners have updated their systems.
Vulnerabilities in a standard file-sharing technology like SMB can cause serious damage because a single compromised computer could infect an entire corporate network. In fact, unpatched OS systems from Windows XP all the way to Windows 2008 can all be penetrated by this exploit. Fortunately, a sort of “kill switch” was accidentally discovered in WanaCry by a security researcher who identifies himself as MalwareTech. In the initial execution of WanaCry, there had to be an unsuccessful query of a particular unregistered domain before it moves on to exploit EternalBlue and propagate to other hosts. By purchasing and pointing the domain to a sinkhole, the security researcher managed to quickly inhibit WanaCry’s spreading mechanism.
However, don’t let yourself get too comfortable just yet – unfortunately, what the kill switch has effectively done is just slow down the speed of infection rate. With the rise in copycat hackers, security researchers are discovering multiple versions of WanaCry, some with or without kill switch functions. It’s no wonder that this situation is making many “WannaCry” (pun intended), but what exactly can you do now? Here are our 5 tips for how to deal with the situation, whether you’ve been struck by WannaCry or are afraid of the potential consequences.
1. Don’t pay out
As tempting as it may be to pay the $300 to get your files back, that may not work out in reality. WanaCry variants may have modified BitCoin addresses so victims that pay out to these wrong address are less likely to receive the key to decrypt their files. Besides, the team at RedTeam Security liken ransomware to terrorism, and many countries like the United States does not negotiate with terrorists, including cyber terrorists.
However, if your organization is one that handles sensitive or even life threatening data (i.e. patient documents in healthcare), it’s hard to even think about not paying the ransom fee. While most security experts will recommend standing firm and dealing with the potential loss of files, it’s up to the industry and the organization to decide whether the risk is worth it. This isn’t a dilemma that any organization wants to deal with, so it’s especially important to have a system in place that will prevent imminent attack in the first place.
2. Security patches and continuous monitoring
While WanaCry attacks are spread by exploiting a vulnerability only in older versions of the Windows OS, it is generally always good practice to update security patches on any OS you use. Microsoft has officially released a reminder to users to install the MS17-010. (If you’re unable to patch Windows, consider disabling SMBv1 altogether).
In addition, organizations and businesses can apply preventative measures like monitoring security networks. Conducting regular penetration tests to exploit the weaknesses in the architecture of network systems can be an effective form of defense. Although often confused with vulnerability scans, penetration tests don’t stop at uncovering vulnerabilities but takes it one step further by exploiting the vulnerabilities in order to prove (or disprove) a real-world attack vector.
3. Offsite backup
Though backups are considered a tiring and old routine, in the event of a ransomware infection, backups are major time and money savers. It’s recommended to store copies of your data in two separate locations. One of these locations should be off site – in other words consider backing up your files on external shortage where the ransomware cannot touch. Even if one copy of your files is encrypted by ransomware you’ll have access to a safely stored untouched version.
Luckily, storage is much more affordable than it used to be. Just make sure to keep the backup devices safe, away from the main device. Ransomware can often be designed to target all attached drives, as well as plugged-in USB sticks. Our favorite way is to utilize cloud-based storage, and fortunately there are cloud backups that automatically upload your files onto the cloud. An extra precautionary measure can be taken by using encryption solutions to encrypt your data.
4. Trust no one
While big targets like hospitals are the ones that made the news, the spread of WanaCry is indiscriminate and goes across both public and private sectors. Hence ransomware can surely also find its way to you through emails or popups as well. Ransomware usually comes in the form of an email attachment containing a malicious script that executes upon download and automatically encrypts all files in the hard drive. A report by PhishMe claims that 93% of phishing emails are now ransomware.
Email phishing is nothing new, but most people fail to see the warning signs before it’s too late. With ransomware especially, distribution methods are becoming simpler and an executable file is all that is needed. That means being extra careful of links within emails and blocking popups could go a long way in avoiding phishing-based ransomware. Always be wary of suspicious or unknown senders especially those with attachments disguised in the form of billing, shipping, ordering, or invoice-related messages. Oftentimes, emails can be highly personalized, making it more difficult for unsuspecting users to realize it’s a ransomware attack.
5. Don’t cry just yet
Many people are on alert mode because the big corporations are being attacked. There are signs of ransomware in very public places, like LCD billboards, bus stops, and movie theaters. Larger corporations, organizations, or entities like medical centers and hospitals utilize older versions of OS because their computing programs are largely for information storage and not for active searching and computing. IT-managers may feel like updates are not necessary – a common myth.
But before you also go into panic mode, consider the facts we’ve seen so far. This is a vulnerability in effect in older versions of the Microsoft OS where updates had to be manually installed. Most users who have the latest versions of Windows will have automatic updates as their default, taking away the concern of the vulnerability at hand.
This is not to say that the WanaCry/WannaCry ransomware phenomenon is not a crucial issue, but if you heed our steps, as well as keep up with the latest cybersecurity news, you may just be able to save the tears for another day. For questions on ransomware or other cybersecurity-related issue, feel free to drop us a line at firstname.lastname@example.org.