WannaCry, WanaCrypt, WanaCryptor – attack 160,000++ infections and climbing
What is it?
WannaCry, is a ransomware program. When executed it will encrypt important files on your Microsoft systems, demanding a ransom for decryption of USD$300 within 3 days, payable in bitcoin. If payment is not received in this time, the ransom doubles to USD$600, and after 7 days, the ransomware authors threaten that affected files will never be decrypted. A technical description from Microsoft is available here.
Which Systems are vulnerable?
All Machines running a version of Microsoft Windows or Windows Server Operating Systems that have not installed the necessary updates or patches.
Is it over?
No, and it could get worse! The original version of the malware, by accident or design, contained what amounted to a kill-switch that neutralized the immediate threat and contained the spread on many of the systems infected by that version. (Congratulations to Marcus Hutchins for this discovery) New versions are already reported that do not contain the kill switch, and further to this, there is nothing to stop other malware authors from exploiting these vulnerabilities for themselves.
How does it spread?
The Malware is capable of infecting any internet facing server running SMBv1 and allowing internet communication over ports 445 or 139. It uses the leaked alleged NSA tools known as EternalBlue and DOUBLEPULSAR to take advantage of vulnerabilities in Microsoft’s implementation of SMB(v1) and to install a kernel level backdoor. Once inside a network, where SMB ports are left open for normal business operations, it continues to exploit these vulnerabilities to propagate itself throughout the network, including through shared drives and RDP sessions. The vulnerabilities exploited by the tool were publicly known prior to the attack, and Microsoft had released a security patch on March 14 2017 to address them. Full details are available in the Microsoft Security Bulletin found here.
At the time of writing there are unconfirmed reports of email trojan, phishing and spearfishing techniques being used to gain initial network access before using the methods described above for propagation. These are plausible vectors, but may be speculation.
My systems are infected! Should I pay the ransom?
Unfortunately that decision must be your own. Paying the ransom may get your files back, or it may not. Some ethicists argue that paying the ransom enables these attacks in the future, so payment should be avoided if at all possible. Faced with the loss of critical business data or treasured personal memories, many people will likely opt to risk the payment. Using an infected system to undertake any financial transaction should absolutely be avoided.
How do I Protect against it?
Immediately patch or update your systems! Microsoft have even made an effort to release the security patch for systems no longer receiving mainstream updates. This includes Windows xp, Vista, 7, 8, Server 2000 and Server 2003. The Microsoft Security Bulletin mentioned previously has detailed information about which systems can be patched.
In addition to applying the recommended patches and updates from Microsoft, there are important measures you should implement now to minimize the risk of malware in the future:
- Employ a multi-layered filtering and malware defense system: This begins at the gateway (or even in the cloud) and ends with the user.
- Firewalls and Internet filters are a good first line of defense. Only allow necessary protocols.
- Secure Internet Gateways (such as ContentKeeper's SIG) bolster the front line with blocking and malicious traffic at the gateway, before they infect endpoints.
- Behavioral analysis can analyze and block suspicious behavior. ContentKeeper can provide this in the gateway while many AV vendors can provide this protection at the endpoint.
- Endpoints themselves should be up to date and have top-tier anti-virus software running.
- Users must be educated about the safety of clicking on unknown links, plugging in unknown devices, downloading untrusted software, as well as social engineering techniques and scams.
- Eliminate Anti-Virus Bottlenecks. As reported by Kaspersky, WannaCry has roughly 39,400+ signatures. Slow AV solutions can have a detrimental impact on your network and productivity even if no malware is present. ContentKeeper's Streaming Malware Defense (SMD) combines the power of BitDefender and Kaspersky's streaming malware intelligence feeds with our high-speed, bridge-based scanning and malware defense system. This real-time approach eliminates bottlenecks and delays, increasing your chances of protection.
- Keep periodic backups of important files:
- At different intervals: If you are backing up files automatically you may also be backing up infected files. Keeping backups of varying age can minimize this risk allowing you to go back to a known safe time.
- On different hardware: using distributed arrays (such as RAID) can provide data security in the event of hardware failure.
- In different places:
- geographically separate backups protect against physical damage from things like fire, natural disasters and theft.
- Keeping some backups on different networks or on air-gapped storage. Tape backups or other disconnected media prevent infection by malware such as WanaCryptor that may propagate on the network.
None of these measures provide a 100% guarantee of safety. You can only be well prepared and minimize the risk. The measures taken by you will vary according to the importance of data and the different legal or regulatory requirements of your location or industry.
For comprehensive information from the target of the WannaCry malware, please read Microsoft’s Customer Guidance statement for the attacks. Alternatively, contact us if you want to learn more about our Multi-layered Gateway Security Platform to prevent malware and other threats pro-actively.
For more than 20 years, ContentKeeper has delivered comprehensive, accessible web security solutions for global enterprises, educational institutions and government agencies. We enable our customers to protect their networks, users and data from cyber threats while embracing mobile technology, Internet of Things (IoT) and cloud-based services.
About the author: Mark Riley Co-Founded ContentKeeper Technologies Pty. Ltd. in 1997 and serves as its Chief Technology Officer. Mark has been named on a number of Internet Content Filtering Patents. He has accumulated more than 26 years experience in complex network design and software development with multinational organizations throughout Asia, Europe, North America and the UK. Mark's achievements have been recognized internationally by NetOps, Secure Computing Magazine (UK) and a range of media profiles.