Wannacry Ransomware Attack: What You Need to Know

On Friday, May 12th a new strain of Ransomware, known as WannaCry, infected computers across the world.

Among the institutions affected were the British National Health Service, FedEx, and Lakeridge Hospital in Oshawa.

Fortunately, the virus has not affected Pund-IT or any of our clients.

For those interested in learning more best available security hardware and software, our partner, Barracuda Networks, will be hosting webinars starting today at noon and every day until May 31st. Please follow this link to register:

https://register.gotowebinar.com/rt/8460414703982379011?source=Pund-it

Please feel free to call us at 519-342-4004 should you have any additional questions.

 

WannaCry Overview

Timeline

August 2016: Confidential National Security Agency Hacking Techniques Stolen

  • A hacking group, calling itself the “Shadow Brokers”, steals cyber-weapons from the NSA’s Equation Group

Friday, April 14th 2017: Leak of NSA Cyber-Weapons

  • Over 300 megabytes of hacking tools leaked containing several vulnerabilities alleged to work against Microsoft products.

Friday, May 12th 2017: Wave of Ransomware Attacks

  • The “Wannacry” virus begins to target organizations in Europe and quickly spreads across the world with demands for payment in Bitcoin to recover sensitive data
  • Victims are presented with a screen informing them that their files have been encrypted
    • Required to pay $300 within three days for recovery
    • After six days, ransom increases to $600
    • After seven days, files are deleted
  • 300,000 devices are infected
  • $70,000 has been paid to attackers as of May 15th
  • Britain’s National Health Service has 70,000 devices compromised, many of which are required for medical treatment
  • Automakers Nissan and Renault are forced to halt production following attack
  • Attack is thwarted after a research in Britain finds a “Kill Switch”
    • Malware operated through a website
    • Researcher purchased and closed the malware-related website, and attacks subsided

Microsoft Response

  • Windows 10 was not affected
  • Demonstrates the importance of installing operating system updates and remaining on most recent version
  • Microsoft offers emergency patch for Windows Vista (previously discontinued)
  • Survey finds that Windows XP (released in 2001) is still the third most popular operating system currently installed, with a 7% market share

Culprits

  • Some media and industry experts point blame at North Korea
    • Almost impossible to substantiate
    • Very difficult to attribute a source to these attacks
      • Source code is frequently reused
      • Attackers can imitate geo-location
      • North Korea serves as an easy scapegoat given recent political news

Motivation

  • Financial?
    • Bitcoin required by attackers per breach is fairly low
    • This is intentional in order to remove barriers to ransom payment
    • Attackers make money on volume, not per attack
    • Medical providers like the NHS are particularly vulnerable as access to systems is required for patient health and patient records must be kept confidential (see Hollywood Presbyterian Medical Center ransomware attack from February 2016)
    • To date, only $70,000 has been paid
  • Testing for vulnerabilities?
    • Attackers can use attacks as system-tests and then “improve” malware for future attacks based on vulnerabilities identified
    • Second wave of attacks may already be in progress

What does this mean for organizations who have been attacked?

  • Decide whether or not to pay ransom
    • If data is critical, pay and hope to recover
    • There is no guarantee of recovery, but the data is already gone from your system

What should responsible organizations do to protect themselves?

  1. Install security patches immediately
  2. Update Operating Systems to Windows 10
    • Even if updates result in temporary downtime, they can prevent catastrophe
    • Remember that unlicensed or pirated software cannot be updated and is therefore a target for attackers

What should executives ask their IT team?

  1. Can you give me an accurate number of systems that are vulnerable?
    • Your IT provider should know the number of XP instances and should have installed security patches
  1. What are the security layers in place?
    • IT providers should be acting proactively; assuming the system is under attack and testing vulnerabilities
  1. Why are we not willing to pay for upgrades, security, backup?
    • High-quality security costs money
    • Again, better to invest in a system than to pay a ransom
  1. How do we communicate to end-users if attacked?
    • The company’s leader should communicate in the event an attack takes place
    • Messages will not be ignored

What should organizations tell employees to prevent future attacks?

  1. Do not click suspicious links or open suspicious attachments
    • Social engineering of phishing emails is improving
    • The message may appear to be from Amazon or your bank, but if they are making an unusual request for information, employees should bring to the attention of the IT service provider
    • Investment in security education is important for all employees (including executives and IT experts)

Create a Strategic Data Backup Plan

    • Operate proactively, not reactively
    • Pay for the Backup Solution, not the ransom
      • Costs of an attack are usually greater than the ransom paid
      • Downtime, insurance claims, and damage to your reputation all cost your business money
    • Defend your critical data through backup and archiving
      • Apply security closest to the essential data that you are trying to protect
    • Layer security
      • A well-protected system will deter attackers (e.g., burglars do not attempt to invade homes with security cameras and a guard dog)
    • Isolate attacks as they happen
    • Remember that the world is not just servers, laptops, phones – Internet enabled devices (wearables, webcams, medical equipment) are also vulnerable
      • Periodically review the device count within your organization and remember to include anything that can connect to the Internet
    • Update, update, update
    • Install Anti-Virus

Going Forward

    • Vulnerabilities exposed in NSA leak can still be exploited
    • IT Security mindset needs to change from defensive to offensive
    • All organizations, regardless of size or sophistication, should have an IT security strategy that protects critical data