On Friday, May 12, the Internet was rocked by a zero-day ransomware attack now known as WannaCry. WannaCry encrypts files on infected computers and then attempts to extort a ransom from its victims. In this case, the demanded payment was for bitcoins valued at $300 initially, with an increase to $1200 US dollars as time went by. The initial infection vector was by way of phishing emails, but an infected system would also attempt to propagate the infection by exploiting unpatched vulnerabilities in the Windows SMB service. The infection appeared first in the UK and Spain, but quickly spread world-wide. We discussed the initial details of the outbreak in “How to protect from WannaCry, the ransomware that infected the World” but in this post, we will dig deeper into what you can do to protect your network from this and the future attacks that will likely leverage some of the same NSA tools, and share some news that those of you who were infected may find welcome.
Things you can do right now
- Get a file backup system set up and running RIGHT NOW. Even if you are only going to use Volume Shadow Copy and an external USB drive, having a backup of critical data is the first step in recovering from any number of disasters, not just from malware. OneDrive for Business, Dropbox, and other cloud based storage systems are another great approach to take.
- Update! Seriously, go, right now, and update everything you have. The biggest vulnerability WannaCry exploited to spread was patched by Microsoft in March with the release of MS17-010 on 2017-03-14. Admins running current systems, who were impacted by the spreading malware exploiting this vulnerability, share in the responsibility for the impact to their systems since a patch was available several weeks before the exploit hit.
Microsoft even took the unprecedented step of releasing patches for end-of-life versions of Windows, including XP and 2003. These two operating systems have been end-of-life for years, but are still widely in use.
- Upgrade! If you are still using end-of-life systems, and there is any way to upgrade to a current version of Windows (or other operating system) you need to do so. Seriously, the vulnerability exploited was patched back in March for every version of the operating systems in either mainstream or extended support. If you were current, you were protected from the spread, though not the initial infection by downloading and executing malware. For that, consider removing admin rights from users, and using web filtering software to block downloads to unknown or potentially malicious files.
- Lockdown and screen anything you cannot update/replace. If you cannot replace them, upgrade them, or shut them down, then you should reduce their connectivity to only the absolute minimum necessary to provide their critical functions. Remove users’ rights to the system, either remove the default gateway or ensure they must go through a proxy with limited permitted access, and then pressure the vendor of whatever application is keeping you on legacy operating systems to provide an update to a supported version of Windows. There are lots of apps out there that businesses need, and which don’t have versions that will run on Windows 10, but those systems probably don’t need Internet access or for regular users (with or without admin rights) to use as their workstation. Firewall them off from anything they don’t have to communicate with as an additional step so they don’t become patient zero on your network.
- Scan your network, and any cloud storage you are using in your business, for files with the extension *CRY to quarantine any infected systems.
- Disable SMB1.0. Seriously, it’s a 30 year old protocol and nothing on your network should require it these days. If something does, this is a great way to smoke that out and get rid of it! Start with “Disable SMB v1 in Managed Environments with Group Policy” and work your way through from there.
Good news for those who were victimized
There is a “bug” in how the WannaCry malware encrypts victims’ files. Adrien Guinet has released a tool that can help you recover your encrypted files. The first tool can recover the private key (or rather the prime numbers used) by WannaCry. You can download that tool from https://github.com/aguinet/wannakey and run it on infected machines, as long as they have not been rebooted since infection. If that tool does recover the primes, you can use one of a pair of tools to try to recover data. A github user who goes by the alias odzhan has released wanafork, downloadable from https://github.com/odzhan/wanafork/, while Benjamin Delpy has released wanadecrypt at https://github.com/gentilkiwi/wanadecrypt. Use of any of these tools is for IT pros, as the instructions are definitely NOT written for end users, and of course they are best effort, nothing guaranteed, but anything is better than nothing, and these stand as good a chance as anything of getting your encrypted files back.
If there are any lessons to learn from this event, the most important ones are
- Legacy support may be necessary, but should never be your long-term strategy
- Patching is good, and the risks of a bad patch are far less than the risks from what can happen if you aren’t patching
- Users still fall for phishing attacks, so user education and mail filtering are both more important than ever
- Backups are critical.
If you are not fully current, take WannaCry as the wakeup call you need to get current as soon as you can. Based on what ShadowBrokers have publicly stated, there are still more tools to release, which means that more malicious attacks are soon to follow. While getting fully current and completely patched may not protect you from everything that could come up, we know that being on out of date operating systems and unpatched computers is just asking for trouble!
Did you, or someone you know, fall victim to WannaCry? If so, please leave a comment and let us know what happened and the extent of the damage. No names or company names are requested…I just want to get a feel for where things stand with our readers. Thanks!