What is WannaCry?
A widespread ransomware campaign that is affecting organizations across the globe. Over 125,000 organizations in over 150 countries have been impacted.
The ransomware strain is also known as WCry or WanaCrypt0r and currently affects Windows machines through a Microsoft exploit known as EternalBlue.
How Does WannaCry work?
Like other forms of ransomware, the malware is commonly spread via phishing emails prompting users to unknowingly download the file and encrypt their data. Victims receive a ransom demand in Bitcoins equivalent to about $300.
WannaCry uses SAMBA to connect remotely and add their malware to the exploited machine. Once WannaCry has gotten onto the network, it can spread like a worm If the ransom goes unpaid, after a couple of days it increases, and after a slightly longer amount of time the decryption algorithm is deleted and data is lost.
There is no telling what is done with the data. It could simply be deleted, or it could be sold on the Dark Web, keylogging programs installed on infected machines to gather passwords and other important information.
What is the impact of WannaCry?
The consequences for businesses infected with WannaCry ransomware may include:
- Temporary or permanent loss of sensitive or proprietary information
- Disruption to business operations
- Financial losses incurred to restore systems and files
- Potential harm to brand reputation
Is another attack coming?
The initial attack, which occurred on May 12, has slowed thanks to a kill switch discovered by a UK researcher. However, cybersecurity experts warn a second attack is imminent with an updated version of WannaCry.
Who has been affected?
The attack has hit organizations in over 150 countries. Major organizations have been affected include FedEx, Nissan, telecoms and utility companies in Spain, and 61 NHS organizations in the UK.
What are the recommended steps for prevention?
The US Department of Homeland Security advised the following precautionary measures:
- Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
- Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.
- Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
- Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
- Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
- Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications.
- Develop, institute and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
- Have regular penetration tests run against the network. No less than once a year. Ideally, as often as possible/practical.
- Test your backups to ensure they work correctly upon use.
Windows users should ensure their software is up-to-date and install the latest patch from Microsoft. Microsoft has outlined how individuals and business can stay protected in a Customer Guidance blog post.
Backup each and every endpoint in the environment. While it is important to update your operating systems, antivirus software, intrusion protection and prevention procedures, your business is always at risk. So when malware mutates to evade those preventative measures, have a way to restore back to a healthy state.
What do I do if WannaCry is on my computer?
We would highly suggest getting in contact with a local IT service provider or your IT department and have them try to restore back to an earlier version of your machine or SaaS data. It is completely dependant on the type of data and where the data is stored if it is possible to restore using the proper procedures.
While your IT professionals are working, you should contact law enforcement. The US Department of Homeland Security strongly advises you contact a local FBI field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.
If you are an IT professional, dealing with any ransomware, and use Datto for your client’s data, we are here to help you restore. We are open 24/7/365 and are devoted to making sure you and your clients are back to production.
Who is behind the attack?
Specific instigators have not been identified yet, the National Security Agency (NSA) initially discovered the vulnerability, and that information was stolen by hackers and published online.