What do you need to know about the WannaCry ransomware attack?
A global ransomware attack hit thousands of users in May, and it’s likely to continue posing a threat to business network security.
Starting May 12, thousands of users fell victim to a global ransomware attack before a single cybersecurity researcher accidentally thwarted it. This particular attack, known as WannaCrypt0r 2.0 or WannaCry, has brought ransomware into the spotlight around the world. Businesses must be aware of ransomware risks, as signs indicate the WannaCry attack is not over yet.
Let’s examine how the attack unfolded, how it was temporarily halted and what organisations can do to prepare for future ransomware with stronger network security.
A global cyber pandemic
WannaCry is not new ransomware, but May 12 marked a massive spike in its use. According to antivirus company Avast, over 126,000 machines were infected in 104 countries by May 13. A large Spanish telecom company and hospitals across the UK were among the most high-profile victims, but there was also a high concentration of attacks on Russian networks in particular.
Check out this NYT post, they made a really cool time based map with my data https://t.co/K7lVjagq29
MalwareTech (@MalwareTechBlog) May 13, 2017
Like all ransomware, WannaCry works by infiltrating a computer and encrypting files on it. Victims are greeted by a message informing them that files have been encrypted, and they must pay a ransom for the decryption code – US$300 worth of Bitcoin in this instance. From screenshots of infected devices, we can see that WannaCry gives victims two key deadlines – one where the ransom price increases, and one where files will become encrypted permanently.
Patrick Coomans (@patrickcoomans) May 13, 2017
According to an analysis by Krebs on Security, the perpetrators behind WannaCry had collected US$26,000 (slightly over AU$35,000) in ransom payments by March 13. This is rather paltry for a global cyberattack, but the report notes there could be some organisations that will pay out in the coming days – as well as other undiscovered Bitcoin accounts taking in payments. The real cost to businesses, however, is the lost productivity from an attack and the recovery process.
The kill switch and revival
After much of the targets in Europe and Asia were hit, a cybersecurity researcher in the U.S. inadvertently discovered a cheap fix for the attack. The researcher, Twitter user MalwareTechBlog, noticed an unregistered domain in a sample of the ransomware. Registering that domain ended up stopping WannaCry, at least temporarily.
My blog post is done! Now you can read the full story of yesterday’s events here:https://t.co/BLFORfM2ud
MalwareTech (@MalwareTechBlog) May 13, 2017
By all appearances, that kill switch was deliberately included in the WannaCry design. A copycat attacker or the original perpetrators could simply tweak the ransomware to remove it, so it’s not likely that we’ve seen the last of WannaCry.
Already, some cybersecurity experts are finding WannaCry variants that do not contain the same kill switch mechanism as the original attack.
Matthieu Suiche (@msuiche) May 14, 2017
How to protect your organisation
Rather than spreading through malicious links in emails, WannaCry also propagated through network connections – utilising a vulnerability in Windows Server Message Block service, which connects computers and other devices in a network. Microsoft has patched this vulnerability, but businesses must still be vigilant. With this transmission method, any slip up by a single user could open the whole network to an attack.
Remember that ransomware is essentially a specialized version of malware, so best practices and an effective security infrastructure will go a long way towards mitigating this risk. This includes training staff in the importance of not clicking on suspicious links in emails.
With the way ransomware works, there is a simple step businesses can take to ensure they get back up and running, without shelling out a ransom payment: Back up everything. Ransomware encrypts files on a computer or network; so if you have physical or cloud-based back-up copies of files, you can just wipe your locked hard drive and restore everything.
Telarus is one of Australia and New Zealand’s most trusted providers of business network security services. To learn more about how we can help secure your organisation and monitor against cyberthreats, contact us today.