May 16, 2017
On Friday, May 12, a significant cyberattack hit more than 150 countries, conservative estimates put the number of affected computer systems at circa 200,000 devices.
Known in the media as WannaCry, the attack was not complex:
- A phishing attack entices users to click links which follow through to websites and run malicious code, the code then sits latent until the execution date
- This includes a malware binary with virulent worm capabilities, allowing it to self-propagate
- The worm spreads via the EternalBlue vulnerability in Microsoft Windows (MS17-010)
- Which in turn launches the WannaCry ransomware, encrypting both local user files and server based files accessible via network shares
Ransomware is malicious software which when run on a vulnerable system, encrypts user data with the promise to decrypt data only if a ransom is paid, usually hundreds of dollars. Often if the user does not pay the ransom within a specific timeframe, the ransom increases and often files are ultimately deleted.
Initial ransom for WannaCry was $300 increasing to $600 after three days with deletion of all encrypted files after seven days, accepting payment only in untraceable BitCoin.
Surprising is that this was not a targeted attack. The cybercriminal used basic techniques to execute one of the largest attacks in recent history. These sorts of attacks will only increase as malware code becomes more readily available to less skilled criminals.
While much of the damage was due to an unapplied Microsoft patch (MS17-010) which was released in March 2017 and the continued use of end-of-life versions of Microsoft Windows such as Windows XP and Vista (which no longer receive security patches, though Microsoft did this week release these patches).
Many defence-in-depth security technologies could have limited the damage:
- External email gateways using advanced detection techniques
- Web gateways and proxies which block Tor communication and known to be malicious web sites, commonly used by cyberattacks
- Advanced endpoint detection and protection solutions that examine endpoint activity far beyond traditional anti-virus
Other areas for immediate improvement:
- Back Ups
– make sure that you back up your important computer files offline should you face an attack you will then be able to restore your important information, this applies to both servers and workstations, particularly those of users who travel and work on files locally
– Ensure that you are using the latest Windows operating system
– Your anti-virus software needs to be updated
– Train users not to click on links or attachments which they receive from unknown sources and to be very careful opening any email that looks unfamiliar even though it might appear to come from a reliable source
– Macro based word documents (DOCM) from outside the organization can be extremely dangerous, these should be blocked at the perimeter
– This also applies to .html, .js, .vbs, .wsh files from external sources, including inside compressed ZIP files
- Web Security
– Change your web policies to block sites based on reputation, category and very importantly application type, the latter more difficult as traffic is often hidden within HTTPS/SSL secured traffic streams
- End-user training
– Businesses need to acknowledge that their users are the weakest link in their security and strongly consider security awareness training
To help you address the risks surrounding both this and similar future attacks contact firstname.lastname@example.org