Ransomware is real. On Friday May 12, 2017, it became even more real when hundreds of thousands of people across the globe became tragically familiar with “WannaCry”. In what has been called the largest and furthest reaching cyber-attack ever, a strain of ransomware dubbed WannaCry or WannaCrypt ran rampant through approximately 150 countries. The reach of WannaCry is staggering with manufacturing giants such as Renault and Nissan losing production time due to this invasive attack. Telefonica in Spain and FedEx in the US have also reported being impacted due to WannaCry. Hospitals with older versions of the Windows Operating System, which have not been patched recently, have been hit hard as well. Some experts say the attack may have been built to exploit a weakness in Microsoft systems that had been identified by the NSA and given the name EternalBlue. Organizations that take a pragmatic approach to distributing Windows updates risk learning the hard way how this type of practice leaves them vulnerable to exploitation.
How does WannaCry work?
WannaCry is deployed via a worm; a program that spreads by itself between computers. Most other malicious programs rely on phishing, or humans, to spread by tricking them into clicking on an attachment which will trigger the attacking code. Since WannaCry is a worm, once inside an organization, it will hunt down vulnerable machines and infect them too. It can propagate through port scanning of Transmission Control Protocol (TCP) port 445, which is where the Server Message Block (SMB) network communications protocol take place.
Once files are encrypted, an end user is informed to pay a ransom to unlock their files. Because of the way in which WannaCry has been designed, only a manual human operator can activate decryption. Simply put, even if the ransom is paid, it is highly unlikely decryption will take place.
How was WannaCry mitigated?
Although the breadth of this attack was the largest ever experienced, it certainly could have been much worse. The scope of this attack was limited when a British based researcher who goes by the name of @MalwareTechBlog on twitter made the discovery that the ransomware was attempting to contact a specific IP address. His response was to purchase and register this IP address. @MalwareTechBlog, explains why his interaction stopped the spread of WannaCry, “this code is attempting to connect to the domain we registered and if the connection is not successful it ransoms the system, if it is successful the malware exits. The reason which was suggested is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis.”
Distribution of the WannaCry attack across the world
Map courtesy of Malwaretech.com
The Silver Lining
Wannacry can be cleaned from an infected computer. It involves downloading specific programs to clean the infection. However, this will not decrypt files encrypted by the ransomware.
So what can you do to protect yourself from such an attack? First, make sure you are applying the latest Microsoft updates to your computer systems. If your systems require validation of the updates, prioritize that testing process so the updates can be applied in a timely manner.
Second, evaluate your data and prioritize the value of the data to your organization. Implement a process to protect your data through regular backups. The interval of these backups should vary depending on the criticality of the data. In the case of worm based ransomware, a strategy that encompasses an air gap posture may be best suited for complete protection.
Finally, test your backup strategy and ensure that the data you have backed up can be restored. Your backups should encompass not only data but also the system state of the machines as well. Develop a game plan that details the process of the restores and rehearse this process repeatedly. If a catastrophic event does hit, you will be prepared.
If your business has been subject to ransomware or better yet, you want to avoid this fiasco altogether; Sanity Solutions is here to guide clients through system assessments and the appropriate action plans to secure your data.