On Friday May 12th, the headlines were all about how the NHS UK trusts had been impacted by a severe cyber-attack. The attack was related to a strain of ransomware called “Wana Decrypt0r 2.0”, also known as Wannacryptor, WannaCry or wncry. As the news unfolded, reports revealed the NHS had not been the victim - other organizations around the world had also fallen to Wana Decrypt0r 2.0 attack too. Ransomware is a piece of malicious code that will encrypt your personal data on your computer and then only give you the decryption keys in exchange for currency, normally paid by Bitcoin. Once the ransom has been paid, the keys are supplied to decrypt your data. But the question that many people are asking is “how did this spread to so many systems and countries so quickly?” Some reports suggest that the victims received a phishing email that included an attachment or link that then downloaded ransomware and impacted the Windows operating system. Once the malware is on a Windows computer system, it will attempt to propagate to other Windows machines on the same local network. Organizations with weakened controls or unpatched systems will be the worse impacted. Microsoft released a security bulletin on the March 14, 2017 which provided more details on the exploit: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx To ensure you are not affected by this attack from other infected machines, you must ensure your Windows systems are updated with the latest security patches. Organizations need to react to this as well and patch all their Windows operating systems, not just the critical systems. The vulnerability impacts all variants of the Windows family. Patching to the latest security updates will help prevent the ransomware from spreading to your machine. Of course, patching to the latest updates does not necessarily protect you if you click a link or open an attachment with malicious content. This is where user awareness and training comes in. Be vigilant when you receive an email from an unknown source. If you have doubts about its origin, don’t click the link or open attachments. WannaCry seems to have originated from a criminal network, not a foreign attack. The clues relate to the payment for decryption keys – initially set to $300 in Bitcoin. New reports show this has now increased to over $600 in Bitcoin. This is consistent behavior for a criminal network. However, to date of this publication, this has not been confirmed yet. The UK National Cyber Security Centre will conduct a forensic analysis of the attack.
Tips for Organizations:
Organizations should remain focused on strengthening their security posture. Weakened security controls allow ransomware to spread more easily throughout systems. Make sure you’ve budgeted appropriately for cybersecurity and that you invest in updated operating systems. Good disaster recovery programs should be put in place and tested regularly. You should also ensure backups are taken of key critical systems so that if ransomware does impact data, you can restore from backups. If you want to learn more about how Tripwire's product suite can help your organization be prepared for similar attacks in the future, please watch this video: https://www.youtube.com/watch?v=plotp84p9o0