WannaCry Ransomware Outbreak
First seen early on May 12th, the WannaCryptor (WannaCry) ransomware infected thousands of computers across the world. In just 24 hours, the number of reported infections has reached over 185,000 machines in more than 100 countries.
Businesses are particularly vulnerable as it takes just one user to become infected and the issues can quickly spread to the whole network.
The WannaCry ransomware has a worm component that exploits a recently discovered vulnerability which affects a wide range of Windows operating systems including 2008, 2008 R2, XP, 7, and 7 SP1.
The creators of WannaCry are demanding a ransom of $300 to $600 in Bitcoin to be paid by May 15, increasing to a higher fee if the deadline is missed. A message left on the screen state that files have been encrypted.
The attacks have caused major disruption to many organisations, particularly within the NHS.
How WannaCry Works
Ransomware is still one of the most common threats for small to large businesses across the world. Traditionally it spreads via malicious e-mail attachments, browser or third-party exploits. The WannaCry package attacks a vulnerability which is present in most versions of Windows. The process is automated so removes any user interaction before the encryption starts. The first time a user will be aware is when the pop up encryption ransom message appears.
This new ransomware behaviour makes it the perfect tool to attack specific environments or infrastructures where servers are not patched to a current level using a vulnerable version of the Server Message Block (SMB protocol).
How to Prevent WannaCry Infection
It is surprising the amount of organisations this malware has infected given that it was a known vulnerability and a patch to fix it has been available since March so good IT security practices would have mitigated infection in this case. Up to date patching alone would have protected users against WannaCry but we would always recommend a multi-layer approach to security with the following actions:-
- Firewall – Gateway AV, IPS, Content Management
- Patching – limits exploit opportunities
- Antivirus – reliable product, up to date
- Proactive Malware Defence – deeper malware behaviour monitoring
- User Education – majority of modern attacks rely on user actions
- Remediation – If all else fails, what is the recovery plan?
For more detail see our article from 8th November 2016 on layered security.
But for the immediate, if you have not yet installed the Microsoft fix—MS17-010— you should do so as a matter of urgency. You should also be cautious of all emails you receive, particularly those that ask the recipient to open attached documents or click on Web links.
In this case, WannaCry Ransomware is relatively simple to protect yourself from but potentially devastating should you be infected from it.
While the prevention of WannaCry is relatively straight forward, threats are constantly evolving and getting more complex so security should be reviewed regularly and users reminded of good online practices.