On May 12th, 2017 cyber security professionals watched as the world was hit by the largest-scale ransomware attack to date. The ransomware, called WCrypt (aka WannaCrypt, WannaCry, WanaCrypt0r), spread rapidly. By encrypting files and demanding ransom for the decryption keys, the malware was able to interrupt normal operations at hospitals, train stations, schools, law offices, and many other organizations. Over 230,000 devices in 99 countries were impacted over the course of the weekend, and tens of thousands of dollars’ worth of bitcoin have already been paid in ransom to the three accounts associated with the malware.
How did this happen? How did such a massive cyber attack appear seemingly out of nowhere and throttle so many systems and operations—including many critical to public safety? More importantly, what steps to prevent ransomware should information security professionals take TODAY to keep their businesses safe?
6 Steps to Prevent Ransomware
Here are some ways to prevent this sort of attack occurring to your business, and maybe manage it if the attack has already occurred.
- KEEP PATCHES CURRENT. Those updates aren’t just for show. The patch for this vulnerability has been out since March 14, 2017, and had it been applied to more systems properly, the damage and spread of this malware could have been significantly decreased. Keep a consistent patch schedule, maintain up-to-date software, and be willing to address new patches with open arms. And this applies to all devices. The printer? The router phone system? That WiFi-connected coffee maker in the lounge? They need frequent updates, too.
- DON’T USE UNSUPPORTED SOFTWARE OR OPERATING SYSTEMS. Patches only come to supported goods. In the case of Microsoft, any Windows OS older than Windows 2008 does not have the option to periodically patch against vulnerabilities like the EternalBlue exploit, and emergency patches for these unsupported system are rare (like the ones provided during the WCrypt incident). These systems are sitting ducks online, and may also be prone to a number of other dangerous risks.
- TAKE ALL POSSIBLE SYSTEMS OFFLINE. Anything that doesn’t need to be connected to the internet should not be connected to the internet. This especially applies to machines running unsupported software or operating systems. The fewer attack vectors you make available to hackers, the better.
- BACKUP DATA. This is critical regardless of the risks. Even if WCrypt hadn’t shocked the world, keeping backups is beyond important for company functioning. If any disaster occurred, off-site backups could save the day.
- EDUCATE STAFF AND USERS. Many information security experts are pinning the root cause of WCrypt’s massive spread on user error. Uneducated employees, users, and even family members can put an entire network at risk. Opening questionable links, downloading unfamiliar files, and falling for email scams can all be sources of a malicious attack. Make sure everyone knows what is trustworthy, and feels confident enough to ask if something looks unfamiliar or odd. Give those around you the resources they need to identify risks before they become ransom!
- ALREADY INFECTED? If you already “WannaCry,” your options are sadly limited. It is strongly encouraged, if you can, to avoid paying the ransom for your files; even if that means losing a few minor items or having to spend time to dig up backup files. If you must pay the ransom, all moral and social issues aside, ensure you do so through the most secure means possible. Communicating with law enforcement, as well as consulting cyber security experts, can help you make the best decisions possible for yourself and your business.
The world is watching now for what the malicious hackers of the world will come up with next. Don’t be part of the next victim count.
The History of WCrypt Ransomware
While the WCrypt ransomware crisis made headlines over the weekend, the timeline starts much earlier.
On April 14, 2017, a notorious hacker group known as The Shadow Brokers released the final stage of a five-part leak of NSA tools. This leak, dubbed “Lost in Translation,” included an exploit called EternalBlue, which targets a remote code execution vulnerability found on Windows machines. This vulnerability allows remote code to be executed on the system, and then also allows the code to propagate and spread via the local network and over the internet.
Microsoft patched this issue before the exploit was even released. However, many hosts have not yet been patched. Also, systems older than Windows 2008 did not receive a patch because they are no longer supported. Thus, within two weeks of the release of this exploit, over 200,000 machines were already infected with versions of this tool.
EternalBlue is essentially a worm, a self-replicating piece of software that spreads from machine to machine. The code had been written so the worm could carry a payload (i.e., an attack function). In the case of WCrypt, the payload is ransomware—thus creating a vicious ransomware worm or ransomworm.
It is hypothesized systems have slowly been infected by WCrypt (WannaCry) for several weeks. The malware remained dormant until triggered, most likely by a preprogrammed timer. Whether the malware was originally spread through phishing attacks (malicious emails) has not yet been determined.
The self-propagating nature of WCrypt allowed it to spread quickly once activated. Every infected machine left on and connected to a network helped WCrypt to spread.
So what now? Well, that’s complicated. Ransomware is one of the most upfront threats to data availability. Encryption of critical files can cause businesses to shut down, particularly if there are no backups (or if they are also encrypted). Even with backups, it can be time-consuming to get all systems back in working order.
This scenario can tempt victims into paying the ransom the malware demands, usually in the form of anonymous bitcoins. But paying for decryption doesn’t guarantee files will be decrypted—or even that they won’t be deleted entirely. And, at $300-$600 per host, it could cost thousands to decrypt an entire company’s files depending on how they are stored.
This situation is making technical teams around the world wish they could go back in time. While currently WCrypt is mostly dormant (a kill switch for the current main strain of the malware’s duplication method was discovered, but only applies in specific circumstances and on machines not already infected) another attack could be just around the corner. It may already be progressing right now.
Reduce Your Ransomware Vulnerability
To date, none of our clients have been impacted by WCrypt. An external vulnerability assessment and penetration test (VAPT) or an internal, credentialed vulnerability assessment goes a long way toward understanding whether your organization is at risk.
To help educate staff, find and fix key vulnerabilities and increase your organization’s resistance to viruses and ransomware, contact Pivot Point Security.