Ransomware Attacks are real

One of the biggest cyber attacks in recent days has affected countries all around the world and whilst there has been loads of information about who and where it has struck, I am still asked the basic question – “What is it”. This blog aims to address that based on my understanding and reading anyway!

Attacks of this scale are scary, especially when large organisation such as the NHS and one of Spain’s largest telecoms providers are among the victims.

So What is “WannaCry”?

“WannaCry” is a piece of ransomware that infects computers with the intent of monetary extortion in return for access to the contents of the PC it has hi-jacked. It encrypts files, claiming only to let you back in upon receipt of the ransom.

Which platforms does it affect?

So far it only affects “Windows” based systems, with the most well-known target being organisations that are still using Windows XP. As a reminder, this is a very old Operating System which went out of any form of support back in 2014! “WannaCry” utilises a known exploit in a legacy Windows Networking Protocol (SMB v1) to get in. The exploits are reportedly the ones which were stolen from the U.S. National Security Agency (NSA). It is worth nothing that all currently supported versions of Windows were quickly patched following the theft, but XP was not.

Microsoft’s March 2017 MS17-010 security update is where the necessary patches have been compiled but not all organisations (and even managed service providers) are “great” at keeping systems patched and up-to-date.

How big of an attack is it?

According to European authorities, as many as 10,000 organisations and more than 200,000 individuals have been affected in more than 150 countries. It is being described as unprecedented on a global scale.

How much is the ransom?

Right now, $300 in Bitcoin.

How is it infecting computers?

The underlying tool is understood to be the EternalBlue program developed first by American security services and subsequently this was leaked on the internet. A quick definition on how it spreads is such:

The ransomware is using a known, publicly disclosed exploit in SMBv1 (Server Message Block Version 1). It is an application level protocol used for sharing files and printers in a networked environment.

With regards to clicking on suspect links, the advice always remains the same. Don’t click on any links or open any files you may have doubts about. In this case it’s not necessarily how you’d wind up with this particular ransomware, but there are plenty of others out there that could be trying to get in this way.

If I get hit, should I pay the ransom?

No way – Never! Remember that these are criminal organisations, and the chances are you will not only be out of pocket, but most likely without your files – even if you pay! “Victims are also expected to contact the criminals for a key to unlock their files”, said security expert Prof Alan Woodward from the University of Surrey.

“I very much doubt anyone would return your contact request, bearing in mind the attention that is now on this. If anyone pays this ransom they are more than likely going to send Bitcoin that will sit in an address for ever more.”

These people don’t want to be found, so they’re unlikely to do anything that would give authorities any kind of edge in tracking them down.

Am I or my business at risk?

Sadly, Yes! We are always at some kind of risk on the internet. However, Microsoft stated early on that Windows 10 users, with Windows Update turned on and Windows Defender active, will be protected from this and many other forms of sophisticated Malware and Ransomware.

If you or your organisation do not have Automatic Updates turned on, then that’s a good place to start!

If I have been affected, How do I get the files back?

Right now there’s not a lot suggesting the files will ever be accessible again – but this may change. If you don’t have a backup, you might have lost your stuff. Good practice is to always back up your important files.

Can you repair your computer?

Experts at Microsoft and many of the world’s leading Anti Virus organisations are working on creating “clean up tool” so expect some to be available by the end of the week.

What is Microsoft doing anything to help?

Lots actually- Despite it not being Microsoft’s fault, especially for businesses using a non hardened Windows XP Operating System in 2017, Microsoft has jumped in to assist. Official support for XP has long since ended, but Microsoft issued a patch for the OS over the weekend to try and keep WannaCry away. Whilst this is now being successful and new cases are almost zero, its success, is dependent on being installed on a non-infected system in the first place.

Someone cracked it though right?

Yes they did. A cybersecurity researcher from the UK “accidentally” found a way to slow down the spread of the attack by stumbling upon a so-called “kill switch.”

He said in an interview “I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental”.

In the simplest form, a domain was found inside the code of the WannaCry program, and by registering this domain it had a dramatic effect, as described to The Guardian:

The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost less than £10 and was immediately registering thousands of connections every second.

As long as the domain isn’t revoked, the initial strain of WannaCry should begin to fade away. But that’s no substitute for making sure your systems are up to date with all the latest patches.

Phew…so is it over?

The biggest fear over the weekend was that as many returned to work and turned on their machines, a whole new raft of infections would occur. Thankfully, new cases have slowed significantly, and many of the affected have been working to clear the threat since it first emerged.

The NHS was one of the more high-profile casualties, and while the majority of affected trusts have had the issue resolved, there are still seven suffering the effects going into the new work week.

The warnings are that there will probably be another attempt at an attack, as well based on similar old explouts so again – if you weren’t hit by this – get patching or speak to your Microsoft Partner, Security Partner to help.

Rob Quickenden, Chief Strategy Officer at Cisilion

Need help and want to protect yourself from the next attack? Come speak to one of our Security experts to find out more.