The WannaCry ransomware attack is slowing as IT teams across the globe work to deploy patches, disable SMBv1 and recover files, but we are still very much in the midst of the situation. Here’s a look at what we know and what we can do in an effort to prevent future attacks.
What is the WannaCry Ransomware?
On May 12, 2017, a new strain of the Ransom.CryptXXX (WannaCry) ransomware began spreading globally, affecting a large number of organizations. WannaCry encrypts data files and asks users to pay a ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.
We have learned that the bitcoin accounts have been abandoned, and there never was an automated decryption process, so victims should not pay the ransom. Recovery from backups are the best course of action.
How Did WannaCry Spread?
WannaCry has the ability to spread itself within corporate networks, without user interaction, by exploiting a known vulnerability in Microsoft Windows. Computers which do not have the latest Windows security updates applied are at risk of infection.
According to Microsoft, “A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.”
How is WannaCry Stopped?
Applying the most recent Microsoft patches to environments will help protect computers from WannaCry infections. Another immediate remediation plan is to disable the specific system protocol known as SMBv1 to mitigate the risk of infection in relation to WannaCry.
Lessons Learned from WannaCry?
Experts warn the WannaCry may not be over just yet so we’ll tread lightly on ‘lessons’ learned, but there are a few we can share:
Backups Enable Ransomware Recovery: In ransomware situations, backups (Eze Vault) are the only way to recover files from an attack. With WannaCry, there is no automated decryption process, so even if the ransom is paid files are not returned/decrypted.
Firms must conduct regular backups and test them to ensure a seamless and proper restore is possible.
Patch + System Updates are Critical: As Brad Smith, president of Microsoft, wrote, “As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past.”
Firms should have a plan or patch management program to help ensure patches are applied in a timely manner.
Old Technology Can Be Dangerous: Helping WannaCry spread was outdated technology, including computers running the 16-year old operating system Windows XP (end of support: April 2014). As Smith noted, “It's worth remembering that Windows XP not only came out six years before first iPhone. It came out two months before the very first iPod.”
As WannaCry showed us, the risk of using legacy technology largely outweighs the benefits. By not upgrading, firms are potentially risking everything. As patches and bug fixes are no longer being provided, hackers have an unguarded entrance to access a firm’s environment. This not only increases the firm’s odds of being hacked, but also raises the gravity of ensuing damages should an incident occur.
Expect to see more from Eze Castle Integration on this topic, and as always, feel free to reach out if you’d like to talk more about cybersecurity solutions.
We recently hosted a debrief webinar on this topic. Click here or watch below to get up to speed.