It has been a week since we saw one of the biggest Ransomware attack which hit over 150 countries globally and encrypted over 200,000 Computers. WanaCrypt0r 2.0 (also known as WannaCry, Wcry, or Wanna Decryptor) is the malicious virus which rapidly infected business systems and causing extreme amounts of downtime and started taking over users’ files last week demanding £230 ($300) to restore access.

WannaCry exploits a certain vulnerability in Microsoft, which was fixed in a patch Microsoft released in March. However, most people do not update / install patches on their PCs straight away thus leaving them vulnerable for longer and making it easier for virus and other malicious software to get in.

With a good backup of your data it is possible to recover from the ransomware, but prevention in this case is a much better form of defence.

What is Ransomware?

Ransomware is malicious software designed to block access to your data / computer system until a certain amount of money is paid. Simple ransomware may secure systems in such a way in which it can be reversed but more advanced versions encrypt your files making them unavailable until the ransom is paid, with no guarantee that your data will ever be recovered.

Ransomware is a denial-of-access attack that keeps users from getting to their files since it is next to impossible to decrypt the files without the decoding key. Ransomware assaults are ordinarily completed utilising a Trojan that is disguised as a genuine document.

NHS Cyber Attack

In Britain, the NHS was worst hit, enduring a devastating cyberattack that put important information and data at risk.

GP surgeries, hospitals and at least 16 health service organisations in England and Scotland were hit by the WannaCry ransomware. They were forced to turn patients away and cancel appointments, Individuals in affected areas were being encouraged to only go to the hospital or book appointments in emergencies.

The list of other organisations reportedly hit by WannaCry has steadily lengthened including companies such as Deutsche Bahn, FedEx, Renault, Nissan, Telefónica, Schenkerm, and Hitachi.

Kill Switch

A “kill switch” was found unintentionally, which doesn’t prevent the malware from spreading, but prevents it from activating the code that encrypts your data. Specialists at Check Point recognised another variation of WannaCry that utilised an alternate kill switch where it pings a certain domain and if it is not registered, initiates the ransomware. They promptly registered the domain, keeping the new, mutant malware from activating.

Microsoft

Microsoft have given customer guidance for WannaCrypt attacks (Click here for a direct link)

Microsoft has even released a fix for some old, unsupported versions of Windows there’s no reason for operating systems not to be up to date.

Tips to help with ransomware attacks

It will not be hard for someone to make another variation of WannaCry that may infect computers at a similar rate.

You need to make sure you or your IT support team is protecting your data.

Here are a few things that you might want to consider:

  1. Avoid using any old software that is no longer supported by Microsoft (e.g. Windows XP, Server 2003 or older)
  2. Most security issues happen when staff are tricked into doing something that they think is legitimate which then results in some form of malicious software being run. Brief staff about your acceptable use policy focusing on the importance of responsible internet usage, checking any URL links before clicking on google results and also advising staff never to open emails / attachments from unknown sources or with attachments that they did not request.
  3. Ransomware can affect any devices on the network and once a PC is infected it can quickly spread to network shares, its best to remove any infected machines or any machines you think may be infected from your network straight away.
  4. Although antivirus protection helps protect you, it is better to have multiple layers of protection, such as web and email filtering.
  5. If ransomware does infect the server itself, there is a risk that the ransomware can delete any attached backup media (such as shares, USB disks, etc) make sure you have a disaster recovery (DR) plan and offsite copies of your backups.
  6. Should I be implementing stronger security? Perhaps consider using multiple layers of security such as DNS filtering, Upgraded Firewalls, in conjunction with traditional antivirus and improve your current backup solution.