UPDATE: Europol chief Rob Wainwright told the BBC, “Companies need to make sure they have updated their systems and ‘patched where they should’ before staff arrives for work on Monday morning.”
By now, you may have heard about the global ransomware attacks affecting organizations throughout the world. Estimates range from between 150,000 to 200,000 groups in nearly 150 countries, and those numbers could be higher. The ransomware variant, called “Wanna Decryption” or “WannaCry” works like any other ransomware: once it is inadvertently installed, it locks up the organization’s data until ransom is paid. Here are some quick facts about the WannaCry attack and suggestions for avoiding it.
How does ransomware get onto a system generally?
Ransomware installs on a victim’s computer when a user clicks on a malicious link in a “phishing” email (or an email designed to trick the user into thinking that it is from a known or legitimate source). Ransomware can also be downloaded through infected file attachments or visiting a website that is malicious in nature. WannaCry appears to be delivered through links in phishing emails. You can read more about ransomware generally here and here. See graphic of malicious file message.
How does WannaCry work? WannaCry affects systems that are behind in their Windows patching. There is actually a patch for the vulnerability exploited by WannaCry (see, US-CERT article on Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010). See the following links for additional technical information:
- Indicators Associated with WannaCry Ransomware US Department of Homeland Security: https://www.us-cert.gov/ncas/alerts/TA17-132A
- Multiple Ransomware Infections Reported: https://www.us-cert.gov/ncas/current-activity/2017/05/12/Multiple-Ransomware-Infections-Reported
Is any system particularly vulnerable?
Because Windows Server 2003 or older, and Windows XP or older on the desktop, have been discontinued by Microsoft and are unsupported, these systems are particularly vulnerable. In response, Microsoft has taken the highly unusual step of releasing emergency security patches to defend against the malware for these unsupported versions of Windows, such as XP and Server 2003. Everyone should be actively checking systems and updating. This may be the first time that Microsoft has ever issued patches for decommissioned software.
What are immediate steps for an organization that is attacked?
An organization that is attacked should immediately isolate the affected systems and networks to avoid the spread of the malware and contact law enforcement.
How can a WannaCry victim regain access to data?
Once WannaCry or other ransomware installs and locks up a victim’s data, the only alternatives are: 1) restore data from clean backup systems; or 2) pay the ransom.
How can WannaCry and other types of ransomware be avoided?
- A comprehensive and continually updated security risk assessment
- A security risk assessment that doesn’t address ransomware is out of date
- Workforce training on ransomware – make sure that the workforce understands the importance of avoiding suspicious email messages, links and attachments
- Workforce testing on ransomware – send suspect phishing emails and see how many click on the suspicious links.
- Maintain comprehensive data backup systems – make sure that they are easily accessible in the event of an emergency (practice accessing them in a non-emergency)!
We will provide further information on the WannaCry attack as it becomes available.