WannaCry : Massive Global Malware Attack

The official advice is not to pay the ransom, and it’s good advice though often it’s not that simple.

The BBC reports that only about £30,000 had so far been paid to the bitcoin account setup to receive ransom payments, but with no known decryption tool available at the moment, and the cost of the ransom going up after three days, it’s likely to rise over the next few days.

The message from the UK National Crime Agency was not to pay the ransom. There is no guarantee that you will get the decryption key, and some experts have said the poorly designed malware might not even have the ability to restore your files.

Some companies have paid the ransom hoping to get back into their files, though typically, no one has come forward to admit that they paid (and therefore admit that they were infected, had poor network security, and apparently didn’t have backups or data recovery plans in place) in such a case, £230 looks like a reasonably cheap way to get out of a sticky situation.

Hopefully you already have suitable backups securely in place, and a policy for dealing with a malware infection. If you have then the best course of action is to remove the infected PC from your network and perform a clean wipe and reinstall of the operating system, and restore any files lost to the encryption malware from your backups. You will need to review you IT maintenance strategy to see where the holes were that allowed the infection in, and look at your planned disaster recovery strategy; did it work, did it cover everything, could there have been any improvements.

It would be advisable to also run additional malware scans, including rootkit scans, on your other computers, and to make sure any outstanding patches are applied, antivirus software updated, and firewalls configured to reduce the chance of any attempted infections.

Why was this so successful?

The success of WannaCry comes from exploiting a known vulnerability on Windows computers. A patch from Microsoft that fixed the vulnerability was made available to PC’s via Windows update two months ago, but a number of the PC’s that were infected had not had the patch installed. Many more were using older versions of Windows that are no longer supported by Microsoft, such as Windows XP (Although in an unprecedented move, Microsoft have since released patches for Windows XP, vista and Windows 8, available from the MS Update Store

This unpatched vulnerability (found in the SMB1 protocol used to communicate with other computers across a local network [Details on the SMBv1 Vulnerability]) allowed an infected PC to infect other computers on the network, and once they spread to another vulnerable machine, they infected that one and began again.

Once a PC is infected, it downloads the encryption tool and sets about encrypting all your files before flashing up the ransomware screen with details for paying the ransom.

“This is not a targeted attack on the NHS, all organisations are at risk, the NHS is just an ill prepared high profile victim”

I herd the American National Crime Agency (NCA) was involved

How do I protect my computers?

Firstly, you should make sure that all your computers, including servers, have the MS17-010 patch applied by running Windows Update. This blocks the vulnerability that allows the virus to spread from a single PC to your network.

This will NOT, however, prevent the initial infection which is likely to be spread via an infected email attachment or link to a malicious website. As the emails are likely to be flying about for a while yet, individual PC’s could still be at risk of infection with the ransomware.

You should check your antivirus program is configured correctly and put in place any changes to your firewall to protect your network.

You should also check your backups and make sure you are backing up everything you would need if you computers were to become infected with a similar malware, that your backups are running frequently, and that you can restore from them, and that they are in a secure location (ideally more than one) that cannot be infected. You should also check and configure file versioning where possible.

And then you should review and where needed, update or renew your network policies and procedures. You should have your PC policies set to restrict the execution of software you have not explicitly allowed, access permissions restricted to only what is needed, no one should be logging in as the administrator and users should be refreshed on your companies PC use policy and how to spot dangerous or fake emails.

More Information and links

• Microsoft Windows XP to Windows 8 Updater Tool [http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598]
• Kaspersky Blog on WannaCry [https://blog.kaspersky.co.uk/wannacry-ransomware/8700/]
• The Guardian blog [https://www.theguardian.com/technology/live/2017/may/15/ransomware-attacks-uk-government-defends-investment-in-security-live]
• The BBC News [http://www.bbc.co.uk/news/technology-39920141]
• The Guardian – Don’t Pay The Ransom [https://www.theguardian.com/technology/2017/may/15/dont-pay-ransomware-demands-cybersecurity-experts-say-wannacry]
• Wikipedia [https://en.wikipedia.org/wiki/WannaCry_ransomware_attack]
• Bleeping Computer – Virus Removal* Note the products recommended in this post are not the only products available, contact us for more information [https://www.bleepingcomputer.com/virus-removal/remove-wannacry-wana-decryptor-ransomware]

tinsleyNET #WeCanHelp