As many are aware, over the weekend a new ransomware attack called "WannaCry" (and various other names) was released and began to spread. This is a particularly virulent attack, and has affected hundreds of thousands of computers. As with other ransomware malware, the software encrypts the user files on the hard drive and holds them for ransom. The attackers promise to send a key to unencrypt the user files providing that the ransom is paid, which is approximately $300 in anonymous, untraceable Bitcoins.
This ransomware is usually introduced into an organization via an unsolicited email with a PDF attachment. When that attachment is opened, the attack begins on that computer. What makes this attack particularly effective is that it uses a previously unknown vulnerability in the Windows SMB protocol to spread throughout the organization automatically to all other computers on the internal network. Eventually, they all become infected, and all files are encrypted. The SMB protocol is what enabled files, folders, and drives to be shared across a network. It's a valuable and widely utilized tool in many organizations.
The story is still unfolding, but there is evidence that researchers were able to activate a "kill switch" intended to stop further distribution. However, the attackers have already released a new variant without the kill switch. More ominously, there are already "copy-cat" versions of the malware starting to appear from other sources. This will continue.
So, that's enough bad news...
There is good news in that Microsoft has already released software patches which can be downloaded and installed to prevent further outbreaks. They even took the unusual step to provide patches to operating systems that are no longer supported, all the way back to Windows XP.
There is also good news the mitigation and defense of such malicious activities. What can be done? Global Knowledge recommends the following steps for basic cybersecurity hygiene:
- All employees should receive some cybersecurity awareness training so they don't click on unknown web links or open suspicious attachments. (This will help prevent the initial infection.)
- All computers and server software should be kept up to date with the latest patches. (Microsoft has released patches.)
- Data should be backed up on a regular basis, and stored offline periodically. (This makes you immune to the ransom threat.)
In the short term, if a computer shows signs of being infected, an educated cyber-security responder should take it off of the network and begin forensic analysis and recovery. Also, on a temporary basis, organizations should decide whether they should disable SMBv1 on the network until patching is complete.
In the long term, this attack will fade as have many before it. However, it remains as a reminder to organizations to be prepared, and have tools and especially education and skills to deal with future attacks.