IT security news doesn’t always reach the headlines. But on this weekend, one malware made it to the top. Meet WannaCry, the ransomware that made many people around the world wanna cry, and learn how not to become one of them.
On Friday, May 12, early reports from security researchers about a new online threat started emerging. For people in the IT security industry, it seemed like just another ransomware infection. But it became headline news in less than 24 hours, as this malware infected hundreds of thousands of computers worldwide and disabled medical facilities, telecommunication providers and factories around the world, bringing even the UK’s National Health Service to a halt.
The cyber-attack that leveled-up
First versions of the now infamous WanaCrypt0r 2.0 (aka WannaCrypt or WannaCry) have been spotted in February by security companies, spreading on computers by using an exploit named Eternal Blue. This is a Windows SMB (Server Message Block) vulnerability, and by using it hackers can gain remote access to computers and install the malware, which would then encrypt all the files on that computer and request a ransom of $300. To make matters worse, after infecting a single computer this digital pest spreads automatically along the local network, by locating and infecting all other unpatched Windows-based computers.
Since this issue was already known, it was actually addressed and patched by Microsoft back on March 14, when they issued Security Bulletin MS17-010, along with other critical patches on Patch Tuesday for March 2017. Many users who have Windows Update enabled or use other ways to regularly patch computers, such as WSUS or by using GFI LanGuard, have already closed the gap on this vulnerability. Unfortunately, many others didn’t.
Cue global malware infestation in 3,2,1
Two days later, the number of infected computers has reached over 250,000, and interactive maps of the infection show that practically no country in the world has been spared. Besides the aforementioned NHS, who had to cancel surgeries and regular health check-ups, other major infrastructure systems were partly affected, such as Deutsche Bahn’s arrival and departure announcement systems and ticket machines on some railway stations in Germany.
Announcement system of German Railways on a station in Chemnitz, hit by WannaCry
Large manufacturers reported that operations in several countries were affected simultaneously, like Renault-Nissan, who had to stop production in factories in France, Slovenia, Romania, India, and the UK. Although official statements claim crucial infrastructure in Russia was not endangered, independent reports show that their large mobile operator Megafon and the Interior Ministry have been hit by WannaCry and suffered major outages on Windows-based infrastructure.
The particular pain point seems to be in legacy systems, working mainly on Windows XP, which were not patched for this issue, as support for XP ended back in April 2014. Due to the massive scale of the infection, Microsoft made an exception and created a patch during the weekend, releasing it as part of the customer advisory on the WannaCrypt ransomware.
How to protect and what to do if you get infected?
The first thing you need to do is to immediately patch the EternalBlue vulnerability, by downloading and installing the Microsoft Security Bulletin MS17-010 on all computers in your remit, whether it’s home PC’s, office workstations or laptops, or any other computer device using a Microsoft Windows operating system (particularly an older one, such as XP, Vista or Server 2003). This would prevent the ransomware from making camp on any of your infrastructure in the first place. Besides patching, you should make sure that your anti-virus and anti-malware tools are up-to-date and operational, since they would recognize and terminate the infection before it even infects a single PC.
Using a specialized software that combines centralized patch management and endpoint anti-virus protection would make this task much easier and faster. We would warmly recommend our very own GFI OneGuard, but since stopping this WannaCry pandemic is a really pressing matter, even backbreaking manual updating on individual computers would be better than not addressing the issue at all. If you want to act fast, you can install a fully functional 30-day trial of GFI OneGuard now and quickly patch and protect all Windows computers in your network.
If you’re not that lucky, and WannaCry has already nested in your local network, there are ways to minimize damage by slowing down its propagation. Using advanced firewall rules that would block ports that the SMB exploit uses allows you to slow down the infection spreading, giving you time to patch unprotected systems. This operation can be largely accelerated by using specialized network monitoring and protection software such as Kerio Control or GFI WebMonitor, which have automated rules protecting local networks from malicious traffic spreading around.
Of course, none of this would happen in the first place if there weren’t unaware users opening email attachments from unknown senders, which were infected with WannaCry. As with all other ransomware infections, the initial attack vector is email – most commonly, employees at finance or other departments open Word of PDF documents, marked as urgent invoices, and unleash the infection to their local networks. A good email protection and management solution equipped with anti-spam and anti-virus engines, such as GFI MailEssentials or Kerio Connect, would surely prevent these infected files from even reaching the employee inboxes.
In the aftermath
Although this particular threat has been reduced significantly, the WannaCry ransomware infection may come back, in other shapes and forms, more sinister and faster ones. So, companies around the world should not wait for another global malware outbreak to make sure their systems are protected in time and safe from ransomware and other threats out there. Educating users not to open suspicious attachments, install unauthorized applications, or visit shady websites, is also an important way to prevent WannaCry and its successors in infecting your systems. But if that fails, you’ll always have the tools listed above, which would prevent users in doing those things in the first place.