You have probably heard on the news that millions of computers around the world have been infected with a piece of ransomware, have you checked if your home and business PC’s are protected?
On Friday, a piece of malware called WannaCry (or WannaCrypt or WanaCrypt0r) infected more than 230,000 computers across 150 countries, encrypting files and holding the data to ransom for £200-£300 a time.
Once a PC was infected, it made use of a known exploit (a bug) in the way Windows computers talked to each other over a network to infect other machines, and they spread the infection and so on until all the vulnerable machines on a network were infected. The malware then began encrypting the files on the infected machines, making them inaccessible without a key. And to get the key you had to pay the ransom.
Affected systems will likely have had additional malware installed, some reports have come in of the DoublePulsar backdoor being installed.
UK Health Minister Jeremy Hunt confirmed to the BBC today that UK intelligence services had found no evidence of a second wave of attacks.
The success of WannaCry comes from exploiting a known vulnerability on Windows computers. A patch from Microsoft that fixed the vulnerability was made available to PC’s via Windows update two months ago, but a number of the PC’s that were infected had not had the patch installed. Many more were using older versions of Windows that are no longer supported by Microsoft, such as Windows XP (Although in an unprecedented move, Microsoft have since released patches for Windows XP, vista and Windows 8, available from the MS Update Store
This unpatched vulnerability (found in the SMB1 protocol used to communicate with other computers across a local network [Details on the SMBv1 Vulnerability]) allowed an infected PC to infect other computers on the network, and once they spread to another vulnerable machine, they infected that one and began again.
Once a PC is infected, it downloads the encryption tool and sets about encrypting all your files before flashing up the ransomware screen with details for paying the ransom.
“This is not a targeted attack on the NHS, all organisations are at risk, the NHS is just an ill prepared high profile victim”
Firstly, you should make sure that all your computers, including servers, have the MS17-010 patch applied by running Windows Update. This blocks the vulnerability that allows the virus to spread from a single PC to your network.
This will NOT, however, prevent the initial infection which is likely to be spread via an infected email attachment or link to a malicious website. As the emails are likely to be flying about for a while yet, individual PC’s could still be at risk of infection with the ransomware.
You should check your antivirus program is configured correctly and put in place any changes to your firewall to protect your network.
You should also check your backups and make sure you are backing up everything you would need if you computers were to become infected with a similar malware, that your backups are running frequently, and that you can restore from them, and that they are in a secure location (ideally more than one) that cannot be infected. You should also check and configure file versioning where possible.
And then you should review and where needed, update or renew your network policies and procedures. You should have your PC policies set to restrict the execution of software you have not explicitly allowed, access permissions restricted to only what is needed, no one should be logging in as the administrator and users should be refreshed on your companies PC use policy and how to spot dangerous or fake emails.
If you have been infected and need help recovering from the attack, or if you want to make sure you are not a victim in the future, contact us today to discuss your needs. We can provide perimeter security, managed antivirus solutions, 24/7 monitored servers, backup plans, network policies and user training to help keep your precious data secure.
tinsleyNET IT Services Consultant
IT Support for small to medium or large sized businesses, home office workers and home users
across the UK based in the West Midlands and Shropshire.
#WeCanHelp
Leave a Comment