WannaCry
(or WannaCrypt) is a new malware that hit over 200,000 computers in
over 150 bcountries late last week (May 12, 2017). This malware
encrypts files on the infected machine, making them inaccessible. What make
this a significant cause for concern, is that it was the first time ransom-ware
had the ability to spread automatically on a computer network, to other vulnerable
computers. That means an entire network could become infected, as a result of
the action of a single user clicking on an email attachment.
Fortunately,
a temporary solution was identified to halt the spread of the malware, by
registering a specific domain that the malware was trying to connect to.
However, new versions have since been released by malware authors, which ignore
this domain.
For those
who have infected machines, the malware requests a payment of at least $300
bitcoins, in return for a decryption key to recover their files. However
there is no guarantee that this will work, or that hackers won’t retain remote
access to the infected computer. Instead, it is recommended that the computer
be reformatted and data restored from a recent backup.
Where it
came from
WannaCry
was developed using a Windows security flaw that was discovered by
the USA's National Security Agency (NSA), which was later stolen and
released to the public by a hacking group called Shadow Brokers. At this
point it appears that a second hacking group used the leaked information to
create WannaCry.
Microsoft
has expressed its displeasure (reference# 4) with the release of
WannaCry, as it was the result of a larger problem. Several governments around
the world are suspected of holding stockpiles of security vulnerabilities, for
their own use, instead of notifying the affected software vendors. If
these were reported in a timely manner, the current outbreak would
have been avoided.
How to
Protect Yourself
The most
important method of protecting yourself is to apply Microsoft patches in a
timely manner. Fortunately, a patch (MS17-010) should have been automatically applied
in March 2017 to currently supported versions of Windows. However, Windows XP
and Windows Server 2003 which are not officially supported by Microsoft, were
issued their emergency patches after the outbreak (on Saturday May 12, 2017).
These emergency patches can be downloaded from the Microsoft website (see
reference# 1)
Most
major antivirus companies have also released emergency updates that will
detect the WannaCry malware. Also several network security monitoring
devices have released their own updates to detect its movement
on the network.
As a
third layer of security, disable the old file share protocol called SMB v1 (see reference# 5). While this outbreak primarily
targeted older versions of Windows, the legacy coding used in SMB v1 remains
vulnerable to future attacks. Newer versions of the SMB protocol (version 2 and
3) are installed on newer Windows Systems, and should not cause significant disruption
to your operations. Ask you experienced IT support team to identify older
legacy systems that depend on SMB v1, and start planning to mitigate their risk.
The final
piece of advice is to maintain good security awareness. This includes,
· Scrutinize each email you
receive, especially when it contains an attachment or a web link
· Do not install programs, unless
they are from verified and trusted vendors
· Turn off WIFI when not in use,
and avoid public WIFI if possible
· Maintain several offline backups
of your data
References
1. https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
2. https://www.cnet.com/news/wannacry-wannacrypt-uiwix-ransomware-everything-you-need-to-know/
3. https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware
4. https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.001wk56cvrqfecz119v2dvzcw9e7m
5. https://community.tenable.com/thread/11156
Bonus: how to detect SMB v1
- https://redmondmag.com/articles/2017/05/16/insecure-smb-1-from-windows-networks.aspx
- https://blogs.technet.microsoft.com/ralphkyttle/2017/04/07/discover-smb1-in-your-environment-with-dscea/
- https://www.microsoft.com/en-us/download/details.aspx?id=44226
