On Friday May 12th a dangerous ransomware worm, nicknamed “WannaCry,” spread quickly through the Internet. It exploited a recently discovered vulnerability in Microsoft Windows and, despite the fact that Microsoft had issued patches to protect against it last March, many healthcare institutions, banks, government agencies, schools, and businesses around the world had unpatched systems that were affected.
What To Do Now
Since older operating systems like Windows Server 2003 and Windows XP were particularly vulnerable, Microsoft released patches specifically for those OS versions over the weekend. Here at VertitechIT, our team developed a Powershell script that scans domain-joined computers to ensure one of the many security patches against “WannaCry” exists on the system (and reports computers that are not patched). If you’d like, we’d be happy to assist your scanning efforts and share our script with you. Although the original ransomware worm was shut down by an independent security researcher, we anticipate copycat worms to follow. Therefore, validating Microsoft patch levels is our foremost concern.
The First Line of Defense is You
It has been suggested that the “WannaCry” worm, and potentially copycats of it, get into an institution through standard malware propagation techniques such as email phishing and infected attachments. Be very suspicious of any email that comes from outside your organization. Opening email attachments or clicking on links in emails are the number one way of bringing an attacker into your environment. Services such as email filtering, email link protection, and virus scanning, can help when an attack is already well known, but those technologies are often behind a fast-moving attacker.
Back It Up
Should a ransomware infection occur, backups are the most essential tool for recovery of data. Ransomware encrypts all files that the infected user has access to and then prompts for a ransom to unlock them. Paying the ransom, especially if it is inexpensive, may seem like an easier and faster recovery solution but there have been many documented cases of the attacker accepting funds and not releasing the key, or releasing the key and simply re-encrypting the data again if the firm is still vulnerable. At VertitechIT, we consider files encrypted by ransomware to be the same as deleted data and handle it the way we would any deleted file, restoring from backup. Since file backups are strategically important to recovering from ransomware, make every effort to ensure your backups are, secure, duplicated, and intact.
The Internet is full of information related to “WannaCry” but we’ve found the following to be the most helpful and informative:
- FBI FLASH: Indicators Associated With WannaCry Ransomware
- For overall Cyber Situational Awareness visit the US-CERT National Cyber Awareness System webpage at: https://www.us-cert.gov/ncas
If you’re like the millions of people around the globe waking up this morning wondering if you or your organization might be next, the best we can say is, maybe. But if you’re just as aggressive and diligent, you could help us limit the damage and potentially ward off the next cyber-attack wherever and whenever it might occur.
As always, please don’t hesitate to contact us with any questions or concerns.
Mike Feld, CEO