Meet WannaCry – the new Ransomware Variant in Town!

It’s been impossible to miss what occurred over the weekend, it was top story on news channels globally, it shut down parts of the NHS and affected major corporations such as Telefonica and FedEx – a global cyber attack on a scale not seen before.

The culprit was a new piece of malware called ‘WannaCry’ (also known as WannaCrypt and Wana Decrypt0r 2.0) – a ransomware variant which exploits vulnerabilities in unpatched versions of Windows (up until Windows 10) and encrypts files, holding them ransom for payment via bitcoin.

WannaCry is unprecedented in scale, with over 230,000 devices in over 99 countries affected. However, there are a number of actions organisations can take to stop the attack affecting their IT systems.

How WannaCry Works

The ransomware uses an exploit called EternalBlue – which was actually developed by the U.S’s National Security Agency (NSA) and leaked onto the internet by a hacking group in April. The malware exploits vulnerabilities in a protocol called Server Message Block (SMB) on Windows machines up until Windows 10.

The malware appears to have been spread via open firewall rules, or as an attachment in a phishing email – usually labelled as ‘invoice’ or something similar to entice the user to open it – and appearing to be from a reputable company or person in your organisation. Once the file downloads, it begins to utilise the flaws in the unpatched software to encrypt files on the machine. What makes this variant particularly nasty is that the malware acts like a worm, and spreads to other vulnerable machines on the same Local Area Network (LAN). This is why we have seen NHS trusts and other organisations shutting down their systems even if they aren’t yet affected.

Microsoft actually released a patch to rectify the vulnerability in March (security update MS17-010), however many users had still not installed this patch, or were running end-of-support software such as Windows XP. This is why the attack has been so widespread.

How to Protect Your Organisation Against WannaCry

Patch immediately! Microsoft have actually taken the unusual step of releasing a security update for versions of Windows which are end-of-support, such as Windows XP, Windows 8 and Windows Server 2003. Ensure that your systems are upgraded to the latest versions, and implement a patch management solution going forward.

Ensure you have updated endpoint security. Whatever vendor you use, ensure it is deployed correctly on all your devices and ensure it regularly receives the latest malware signature updates.

Block SMB on the firewall, and disable SMBv1. WannaCry uses the SMB protocol to launch the attack. It is therefore important (and best practice) to block SMB ports over the internet or network. SMB utilises TCP ports 137, 139 and 445 and UDP ports 137 and 138. It is also recommended to disable SMBv1 on vulnerable devices, such as Windows Server 2003 machines. If you have an Intrusion Prevention System (IPS) in place, ensure it is updated to counter the latest threats.

Have a disaster recovery plan. If the worst does happen, have a plan to mitigate the effects as much as possible. Instantly disconnect the machine from the network, as well as disconnecting or shutting down other devices on the LAN to prevent the spread of the malware. Ensure you are regularly backing up your data to a secure location, and do regular restoration tests, as infected devices may need to be restored.

Train your staff to watch out for phishing emails. In many cases, it is the person sat in the chair who is unlucky enough to initiate the attack. Cyber criminals are smart, and will use social engineering techniques and enticing emails to get a person to click on a link or download a file. It is best practice to always be suspicious of uninvited emails, and also verify the sender before clicking on anything!

If you are attacked – don’t pay! It is estimated around 100 people have now paid the ransom demanded by WannaCry, netting the criminals around $30,000. If you do pay, there is no guarantee you will get your files back, and you are rewarding criminal activity.

Our existing customers who have purchased managed firewalls and Cisco AMP solutions from us can rest assured that Cisco’s threat intelligence organisation, Talos, led in identifying and mitigating the effects of WannaCry. Cisco Umbrella’s intelligence database will also proactively block the domains the malware will use to attack. If you have any concerns or queries please give our support team a call.