On Friday 12th May 2017, a new type of virus was released. This virus is a combination of:
- A ransomware virus, which encrypts and locks your files and demands money for a decryption key, and
- A worm virus, which tries to spread itself as far as possible.
The attack was due to a kind of ransomware called Wanna Decryptor, which is also known as WannaCrypt, WanaCryptor and WannaCry.
When a system has been infected with WannaCrypt, the malware encrypts everything it can, including the PC’s hard drive and any connected devices such as USB sticks and any external storage devices the user may have.
The ransomware locked users out of the system and presented a landing page which demanded Bitcoin payment of $300/£230 in return for files to be unlocked. Users were warned that the amount would double within three days if payment was not forthcoming and that all their files would be deleted if they didn’t pay after that time.
The WannaCrypt ransomware attacked more than 200,000 victims in 150 countries across the world with the NHS attacked in England, car plants targeted across Europe and Chinese schools and colleges caught in the onslaught. Europol designated it “the largest ransomware attack observed in history.”[i] [ii]
Microsoft have since patched their Windows XP, Windows Server 2003 and other older operating systems it had stopped supporting, to fix the flaw that WannaCrypt had exploited to infect systems.
The current infection risk to NCS customers for this specific virus is currently low. This is because very few of our customers use Windows XP any more. In addition, fileservers that are actively monitored by NCS will be receiving regular security updates.
However, it is inevitable that a new version of this virus will appear soon.
The best way to defend computer networks is to have multiple levels of security and good practices followed. These should include:
- Fileserver security patching – if your server is actively monitored by us, this should already be done. If you maintain your fileservers in-house, it is critical that these are patched as soon as possible and kept current with the latest security updates.
- PC security patching – all computers and laptops should be fully up-to-date with the latest security patches.
- Effective anti-virus and anti-spam software.
- Appropriate internal network security levels.
- Secure, network firewall – if you have a SonicWALL firewall from NCS with an active security subscription (called CGSS), you have protection with the firewall’s anti-virus plug-in which can prevent the virus getting to your network. [iii] (Read more about this here > https://blog.sonicwall.com/2017/05/sonicwall-protects-customers-latest-massive-wannacry-ransomware-attack/) Important: only the latest SonicWALL devices can protect against encrypted traffic and this functionality needs to be enabled specifically
- Good, tested backups which are done regularly.
- Always keep a backup off-site, following the 3-2-1 rule. [iv] (Read more about this here > https://www.veeam.com/blog/how-to-follow-the-3-2-1-backup-rule-with-veeam-backup-replication.html)
- Download and install all Windows Updates as soon as they are released.
- Remind staff not to open unexpected email attachments.
- Use the internet safely.
Tech Republic have updated their Ransomware: The Smart Person’s Guide, which is summarised below:
- What is it? Ransomware is malware. The hackers demand payment, often via Bitcoin or prepaid credit card, from victims in order to regain access to an infected device and the data stored on it.
- Why does it matter? Because of the ease of deploying ransomware, criminal organisations are increasingly relying on such attacks to generate profits.
- Who does this affect? While home users have traditionally been the targets, healthcare and the public sector have been targeted with increasing frequency. Enterprises are more likely to have deep pockets from which to extract a ransom.
- When is this happening? Ransomware has been an active and ongoing threat since September 2013.
References[i] WannaCry ransomware attack https://en.wikipedia.org/wiki/WannaCry_cyber_attack#List_of_affected_organizations [ii] Cyber-attack: Is my computer at risk? http://www.bbc.co.uk/news/technology-39896393 [iii] https://blog.sonicwall.com/2017/05/sonicwall-protects-customers-latest-massive-wannacry-ransomware-attack/ [iv] The 3-2-1 rule for backups: https://www.veeam.com/blog/how-to-follow-the-3-2-1-backup-rule-with-veeam-backup-replication.html