On Friday, 12 May 2017, a ransomware attack called WannaCry ran riot. Within a day this massive global cyber extortion attack crippled more than 230,000 computers in over 150 countries and left others scrambling to protect themselves. It hit Britain’s National Health Service, Spain’s Telefónica, FedEx, as well as many other countries and companies worldwide, leading to PCs and data being locked up and held for ransom.
What is it, why is this happening, and how to defend against WannaCry and other ransomware? Here are 7 facts organizations must be aware of.
1. What is WannaCry and how does it work?
WannaCry is a piece of ransomware first spotted by security researchers MalwareHunterTeam, at 9.45am on 12 May. It is also being called WanaCrypt0r 2.0, Wanna Decryptor 2.0, WCry 2, WannaCry 2 and Wanna Decryptor 2.
This ransomware exploits a known vulnerability in Microsoft Windows operating system and it is believed to be using tools developed by the United States National Security Agency (NSA) that was leaked by an anonymous group calling itself “Shadow Brokers” in April.
The infection initially takes place through an exposed Server Message Block (SMB) port of a computer, then it uses the vulnerability to spread out to random computers on the Internet and laterally to computers on the same network. Once WannaCry takes hold of the computer, it then encrypts files, locks the user out of the computer, and requests a ransom.
2. Who was behind the attack?
Attribution is tricky in the world of cyberwarfare. The Shadow Brokers, who said in April it had stolen a “cyber weapon” from the NSA, is being partly blamed for the attack. The hacking tool, called “Eternal Blue”, gives unprecedented access to all computers using Microsoft Windows. It had been originally developed by the NSA to gain access to computers used by terrorists and enemy states. It is reported that a separate crime group might have spotted this opportunity and updated the tool to attack the computers around the world.
Some experts examining the code have found technical clues they said could link North Korea with the attack. Symantec and Kaspersky Lab said on Monday some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, which researchers from many companies have identified as a North Korea-run hacking operation.
3. How much money are they asking for and has anyone paid?
A key feature of successful ransomware is that the ransom is usually a modest sum – far less than the cost of paying a team of security experts to try to defeat the encryption attack. WannaCry is asking for $300-$600 worth of the cryptocurrency Bitcoin to unlock the contents of the computers. If victims did not pay up quickly, there is a threat that higher payments would be demanded.
Despite the widespread infection, only a small number of payments have been made. CNBC reports that payments have added up to just $50,000 worth of bitcoin payments, but the financial damage to victims around the world will be several orders of magnitude higher by the time all is said and done. Security experts continue to urge victims to not pay the ransom fee.
4. Will paying the ransom really unlock the files?
Sometimes paying the ransom will work, but sometimes it won’t. Security analysts say that over 200 of the WannaCry victims who promptly paid the ransom have gotten their data back. However, cybersecurity experts advise against paying the ransom, noting that historically only about two-thirds of compliant ransomware victims get their data back after meeting hacker demands. Microsoft also stated in the FAQ of ransomware that “there is no guarantee that handing over the ransom will give you access to your files again. Paying the ransom could also make you a target for more malware.”
5. What has Microsoft done to tackle it?
Microsoft stated that it had already released a security update to patch the vulnerability exploited by the ransomware. On 12 May, a Microsoft spokesman said its engineers had provided additional detection and protection services against the WannaCry ransomware and that it was working with customers to provide additional assistance. The spokesman reiterated that customers who have Windows Updates enabled and use the company’s free antivirus software are protected.
6. Will it continue to spread?
A British cybersecurity researcher has discovered a “kill switch” that can temporarily prevent the spread of the WannaCry ransomware. The researcher, tweeting as @MalwareTechBlog, said the discovery was accidental, but that registering a domain name used by the malware stops it from spreading.
However, it did not take long for new versions of WannaCry to appear after the kill switch code was removed.
7. How organizations can protect themselves?
Once ransomware has encrypted your files there’s not a lot you can do. The first line of defense against WannaCry is installing the latest Windows security updates. Resolving the flaw that allows this virus to propagate is vital.
Although WannaCry does not appear to have relied on phishing emails to spread, most ransomware viruses do, so another crucial tip is to avoid opening suspicious attachments or clicking mystery links in emails.
As ransomware encrypts data, the best defense against ransomware attacks is to maintain good backups of valuable data. In case a ransomware strikes, the system can be cleaned off, and a safe backup copy of the data can be restored. Backups of important data should be kept safe from contamination, so the best protection strategy is to store the backup data in multiple remote and cloud destinations.
Looking ahead, there will only be more rampant ransomware threatening organizations and individuals worldwide. It is now imperative for everyone to start backing up their computers in order to survive from the next waves of ransomware attacks. Just drop us a message if you would like to know more about offering backup solutions to your customers.
Sources: The Guardian, The San Diego Union Tribune, The Telegraph