Appropriately named, the WannaCry (also known as WCry, WannaCrypt, WanaCrypt0r and Wana DeCrypt0r) attack is a type of ransomware that behaves like a worm, spreading automatically on the
network by taking advantage of a weakness in the Windows Server Message Block (SMB) service v1 (a legacy network protocol allowing Windows computers to share files and printers across the local area network), making this a dangerous network threat. Ransomware, specifically, is a type of malicious software that blocks access to a computer system and/or files. The catch is that the system "may" be released if a sum of money (the ransom) is paid to the hackers.
If a computer and/or server is victim to this attack, files become encrypted with 128-bit AES encryption and file extensions are changed to .wnry, .wcry, .wncry and .wncrypt. The software then displays a message similar to the one below demanding a $300 ransom in the form of bitcoin payment. Infections typically occur from an infected email attachment or infected website and then it spreads on the LAN from there. Outdated versions of Microsoft operating systems were especially vulnerable, such as Windows Server 2003 and Windows XP, because of their reliance on SMBv1. Using a cryptographic loading method, the WannaCry DLL is never directly exposed on the disk and, typically, is not detectable to traditional antivirus software.
What can I do?
With your focus on on the day-to-day operation of your business, we want to help support your network so that you can continue to work with confidence. Attacks like this will certainly continue with variations popping up. There are a few key areas outlined below that can help prevent ransomware infections and can minimize the depth of impact should an infection occur.
Microsoft previously released a security update in March (Security Bulleting MS17-010) that addresses a key vulnerability being exploited by these attacks. For computers and servers that are covered under Lanspeed managed services, these patches were on our whitelist (a.k.a. they had been approved). We are reviewing patch logs to ensure that the referenced patches have been deployed. If they have yet to be deployed to specific computers and servers, we are working to address those machines directly.
Although older operating systems, such as Windows Server 2003 SP2, Windows XP SP3 and Windows 8, are no longer supported by Microsoft, they have released unsupported security patches to address WannaCry. These patches have been made available for direct download:
- Windows Server 2003 SP2 x64
- Windows Server 2003 SP2 x86
- Windows XP SP2 x64
- Windows XP SP3 x86
- Windows XP Embedded SP3 x86
- Windows 8 x86
- Windows 8 x64
Within the Network Health Review process, we strongly recommend running current versions of Windows operating systems, such as Windows 10, Windows 8.1, Server 2012 R2 and Windows Server 2016.
Business Continuity & Backups
The most critical area of network protection from a ransomware attack is business continuity. Quality backup solutions do not just backup critical data files any longer. Backups should allow for continuity of operations when a disaster strikes. If your systems and/or data are held hostage, your entire business may be at risk.
The number one solution we've used to recover client data from ransomware attacks is business continuity services built upon Datto solutions. Datto solutions are monitored and maintained by our Centralized Services team to proactively ensure that backups are operating as expected. It is important to keep backup services up-to-date and under an active hardware warranty. Solutions are becoming more sophisticated than ever and can even detect if data within the backup was infected with ransomware. Most of our managed service customers have a Datto solution implemented for at least one area of their network.
Security prevention has evolved far beyond the use of traditional antivirus scanning. Security solutions, such as those from Sophos, are evolving to communicate across product lines. For example, if the firewall can communicate with the endpoint on the workstation, and the workstation is compromised, the firewall can isolate the workstation from the rest of the network. With certain solutions in place, the ransomware infection can even be detected, blocked from spreading on the machine and the network and the source of the infection can be identified.
Ransomware will continue to be a threat into the foreseeable future. One of the most important, yet overlooked, areas of risk mitigation is in employee training. Most attempts to hijack a computer start with baiting the user with what looks to be legitimate information from a credible source. Slowing down to follow a few key best practices can greatly reduce the likelihood of an infection.
Ninjio is a company that offers a unique method of employee awareness training. They produce educational short videos that grab your attention with emotional tension. Below is a sample video from Ninjio addressing the topic of ransomware that demonstrates their unique approach.
For additional information regarding ransomware and the WannaCry outbreak, here are some additional resources:
- Lanspeed Blog: How to protect your company from ransomware
- Lanspeed Blog: What are ransomware attacks and why are they so successful?
- NPR Article: WannaCry Ransomware: What we know Monday?
- Sophos guidance on WannaCry ransomware
- US-CERT Alert: Indicators Associated with WannaCry Ransomware