Categories: Malware

WannaCry : Massive Global Malware Attack

Malware attack infects PC’s globally

You have probably heard on the news that millions of computers around the world have been infected with a piece of ransomware, have you checked if your home and business PC’s are protected?

What happened and is it over?

WannaCry infected thousands of corporate and home PC’s

On Friday, a piece of malware called WannaCry (or WannaCrypt or WanaCrypt0r) infected more than 230,000 computers across 150 countries, encrypting files and holding the data to ransom for £200-£300 a time.

Once a PC was infected, it made use of a known exploit (a bug) in the way Windows computers talked to each other over a network to infect other machines, and they spread the infection and so on until all the vulnerable machines on a network were infected. The malware then began encrypting the files on the infected machines, making them inaccessible without a key. And to get the key you had to pay the ransom.

The vulnerability it used was known to Microsoft and nearly two months ago. Microsoft released a patch to fix the bug immediately, but it appears quite a few (thousand) businesses and users didn’t apply the update, or worse still, were using versions of Windows that were no longer supported, such as Windows XP.
The initial impact of the infection was massive, and it appears network managers have been busy fixing the vulnerable machines and patching the bug that allowed the malware to spread. The two combined aspects have worked to slow the spread of the virus for now, but with the media coverage this generated, it’s likely to inspire other malware creators to try to capitalise on the infections.

Secondary Infections

Affected systems will likely have had additional malware installed, some reports have come in of the DoublePulsar backdoor being installed.

UK Health Minister Jeremy Hunt confirmed to the BBC today that UK intelligence services had found no evidence of a second wave of attacks.

My computers were infected, what do I do?

The official advice is not to pay the ransom, and it’s good advice though often it’s not that simple.
The BBC reports that only about £30,000 had so far been paid to the bitcoin account setup to receive ransom payments, but with no known decryption tool available at the moment, and the cost of the ransom going up after three days, it’s likely to rise over the next few days.
The message from the UK National Crime Agency was not to pay the ransom. There is no guarantee that you will get the decryption key, and some experts have said the poorly designed malware might not even have the ability to restore your files.
Some companies have paid the ransom hoping to get back into their files, though typically, no one has come forward to admit that they paid (and therefore admit that they were infected, had poor network security, and apparently didn’t have backups or data recovery plans in place) in such a case, £230 looks like a reasonably cheap way to get out of a sticky situation.
Hopefully you already have suitable backups securely in place, and a policy for dealing with a malware infection. If you have then the best course of action is to remove the infected PC from your network and perform a clean wipe and reinstall of the operating system, and restore any files lost to the encryption malware from your backups. You will need to review you IT maintenance strategy to see where the holes were that allowed the infection in, and look at your planned disaster recovery strategy; did it work, did it cover everything, could there have been any improvements.
It would be advisable to also run additional malware scans, including rootkit scans, on your other computers, and to make sure any outstanding patches are applied, antivirus software updated, and firewalls configured to reduce the chance of any attempted infections.

Why was this so successful?

The success of WannaCry comes from exploiting a known vulnerability on Windows computers. A patch from Microsoft that fixed the vulnerability was made available to PC’s via Windows update two months ago, but a number of the PC’s that were infected had not had the patch installed. Many more were using older versions of Windows that are no longer supported by Microsoft, such as Windows XP (Although in an unprecedented move, Microsoft have since released patches for Windows XP, vista and Windows 8, available from the MS Update Store

This unpatched vulnerability (found in the SMB1 protocol used to communicate with other computers across a local network [Details on the SMBv1 Vulnerability]) allowed an infected PC to infect other computers on the network, and once they spread to another vulnerable machine, they infected that one and began again.

Once a PC is infected, it downloads the encryption tool and sets about encrypting all your files before flashing up the ransomware screen with details for paying the ransom.

“This is not a targeted attack on the NHS, all organisations are at risk, the NHS is just an ill prepared high profile victim”

Richard Jameson from IT Security firm InfoTech Legal

I herd the American National Crime Agency (NCA) was involved

It is very likely that the code used in the malware attack came from code stolen from the US NCA. It’s know that the US NCA ‘stockpile’ vulnerabilities they find rather than reporting them to the developers so they can create a patch to fix the bug. This could be so they have a readily available arsenal of code they could potentially use against an organisation or country in a cyber war situation, or as a means of deploying spyware secretly to individuals or groups of people.

How do I protect my computers?

Firstly, you should make sure that all your computers, including servers, have the MS17-010 patch applied by running Windows Update. This blocks the vulnerability that allows the virus to spread from a single PC to your network.

This will NOT, however, prevent the initial infection which is likely to be spread via an infected email attachment or link to a malicious website. As the emails are likely to be flying about for a while yet, individual PC’s could still be at risk of infection with the ransomware.

You should check your antivirus program is configured correctly and put in place any changes to your firewall to protect your network.

You should also check your backups and make sure you are backing up everything you would need if you computers were to become infected with a similar malware, that your backups are running frequently, and that you can restore from them, and that they are in a secure location (ideally more than one) that cannot be infected. You should also check and configure file versioning where possible.

And then you should review and where needed, update or renew your network policies and procedures. You should have your PC policies set to restrict the execution of software you have not explicitly allowed, access permissions restricted to only what is needed, no one should be logging in as the administrator and users should be refreshed on your companies PC use policy and how to spot dangerous or fake emails.

More Information and links

tinsleyNET #WeCanHelp

If you have been infected and need help recovering from the attack, or if you want to make sure you are not a victim in the future, contact us today to discuss your needs. We can provide perimeter security, managed antivirus solutions, 24/7 monitored servers, backup plans, network policies and user training to help keep your precious data secure.

07825650122 | it@tinsleyNET.co.uk | @tinsleyNET | +tinsleyNETcouk | www.tinsleynet.co.uk | Facebook | #Stuff4Steph
tinsleyNET IT Services Consultant
IT Support for small to medium or large sized businesses, home office workers and home users
across the UK based in the West Midlands and Shropshire.
#WeCanHelp

Share
Leave a Comment