More than 200,000 computers in more than 150 countries were crippled by a massive ransomware attack, dubbed WannaCry, and security experts warned that it may get worse before it gets better.
WannaCry is ransomware that exploits a Windows vulnerability and encrypts a victim's files and holds them hostage, demanding the victim pay a ransom for the files to be decrypted. The attackers are asking for $300 in bitcoins, an amount that doubles if the victim doesn't pay within three days.
The devastation began Friday (12th May), when an estimated 57,000 computers were infected. But the fast-moving and apparently random malware continued to spread throughout the weekend, nearly quadrupling the number of infected systems, impacting all verticals including schools, hospitals, public services, auto makers and more.
"It is not clear how the infection started. There are some reports of e-mails that include the malware as attachment seeding infected networks. But at this point, no actual samples have been made public. It is possible that the worm entered a corporate network via vulnerable hosts that had port 445 exposed to the internet. The WannaCry malware itself does have no e-mail component," according to the SANS Technology Institute Internet Storm Center.
According to a SANS Institute presentation, the exploit is known under the name "ETERNALBLUE," and was released in April as part of a leak of NSA tools. The ransomware was successful because it used vulnerabilities within small- and mid-sized businesses (SMB) to spread inside networks. The vulnerability was patched by Microsoft in March for supported Windows versions, the presentation notes.
Encryption for Nefarious Purposes
WannaCry works by encrypting most or all of a victim's files.
"The malware includes an encryption package that automatically downloads itself to infected computers, locking up nearly all of the machine's files and demanding payment of $300 to $600 for a key to unlock them," NBC News reported. "All it takes is for one computer on a network to be infected for all of the computers on that network to be compromised."
While WannaCry's encryption is "virtually unbreakable," according to Tom's Guide, it highlights the importance of knowing what's happening in your network and examining encrypted traffic to ensure it does not contain threats.
How do you protect yourself, your business and your machines from malware like WannaCry? Here are some best practices to ensure you're protected against these types of attacks:
• Download the latest patches. Update your operating system to the latest version and install all patches. Doing so regularly will ensure your machine stays safe from unwanted malware and other vulnerabilities that attackers tend to exploit. To protect against WannaCry, newer Windows Versions can be patched with MS17-010, which Microsoft released in March. Microsoft has now released a patch for older systems.
• Beware of phishing emails. While its uncertain whether WannaCry leverages phishing to gain a foothold on target machines, many ransomware attacks use phishing emails that contain a malicious link or attachment that will infect your machine. Avoid clicking or opening any such attachment.
• Back up your files. Regularly create and keep secure backups of your most important files and data. If your machine becomes infected, you can easily restore your data.
• Use up-to-date antivirus. Ensure you have the most up-to-date version of antivirus software that can thwart the latest types of viruses and worms, such as ransomware attacks.
• Instil a security culture. Introduce and encourage a culture of cyber security diligence in your organisation. Enforcing simple tasks such as locking work stations, securing laptops, using strong passwords and alerting employees about phishing scams and other attacks can help prevent the spread of malware through an organisation or network.
• Have a defence-in-depth strategy. I'd encourage using best-of-breed solutions for robust security and defence against the evolving threat landscape. Having multiple layers of security increases the chances of catching and eradicating malware like WannaCry before it has the opportunity to wreak havoc. A multi-layered defence will also mitigate the risk of any single device being compromised and being rendered ineffective.
• Following these best practices increases your chances of preventing WannaCry from infiltrating your network and your business.