In the early hours of Friday, May 12, cyber criminals released ransomware dubbed “WannaCry” (aka WannaCryptor) that disrupted the services in multiple hospitals, telecom companies, universities, and car manufacturing plants across Europe. Within 24 hours, this strain of ransomware has spread across 150 countries, locking up more than 200,000 computers. Businesses are bracing for the worst in the coming weeks, afraid to find out if all their computers have been hijacked by WannaCry, grinding their organization to a halt.
Targets are large and small
According to Reuters, hundreds of hospitals and clinics in the British National Health Services (NHS) were shut down on Friday, forcing them to postpone operations and send patients home. Car manufacturer Renault had to halt production lines on Saturday in France, as did Nissan in northeast England. Telefonica, a telecommunication company operating across Argentina, Spain, and Portugal was targeted. In Singapore, MediaOnline – a company that supplies digital signage had all their kiosks infected. FedEx was targeted by this ransomware in the U.S.
What makes you WannaCry
Once WannaCry infects a laptop or server, it encrypts all the files on that system and prevents you from accessing your data. A ransom note is displayed, as shown here, demanding $300 in bitcoins to receive the key to decrypt your files. In many cases the attackers have found people/businesses are willing to pay the ransom, because it is a life or death situation (hospitals), a disruption to business-critical operations (manufacturing), or blocks regular users from accessing crucial documents like tax records.
WannaCry spreads faster than regular ransomware
Most ransomware spreads like a virus, via an attachment to a phishing email or through a url/link to a malicious website. It infects one endpoint at a time, only when a user unknowingly clicks on the malicious link or email attachment.
WannaCry spreads much faster, like a worm. It is infecting any vulnerable system/device that is plugged into the network without anyone having to activate it. This ransomware exploits a known Windows vulnerability in the Simple Message Block (SMB) protocol. This worm-like behavior makes it the perfect tool to bring down unpatched servers, patient monitoring systems in hospitals or industrial control systems in manufacturing plants, which are running older versions of Windows OS. Microsoft issued a patch for this SMB vulnerability (MS17-010) back in March 2017.
Ransomware shows no signs of slowing down. Here are concrete steps that all business can take to minimize the risks posed by any ransomware, including WannaCry. Dark Reading published the following best practices for Small and Medium Businesses from Arctic Wolf Networks, which are also applicable to the WannaCry ransomware.
- Patch all your systems immediately: Your IT staff should be installing the latest patches on all your laptops, servers, and devices, as soon as the patches are released by the software/system vendor. Run the Microsoft Security Analyzer to identify systems running older versions of Windows OS that are susceptible to WannaCry. Install the emergency patch issued by Microsoft for unsupported versions of Windows 8, XP, Vista, and older versions of Windows Server.
- Backup critical data/files regularly: You should be backing up your business-critical data regularly to ensure that any data held in ransom can be recovered from backup at any time. Without a backup strategy, businesses will end up paying the ransom.
- Monitor your network 24 x 7: It is possible to discover ransomware dispatches to command and control sites used by hackers to distribute the decryption key after accepting ransomware. This will help you isolate endpoints already infected by ransomware and prevent it from spreading laterally to other systems on your network.
- Keep your security defenses up-to-date: You need to get the latest threat intelligence updates for your existing security products, such as anti-virus and intrusion detection signatures, black-listed IP-addresses and URLs.
Get professional help
According to Brian NeSmith, CEO of Arctic Wolf Networks (AWN), small and medium-sized businesses typically have limited resources to create a dedicated security team, or hire a single security analyst to detect and respond to advanced threats, even if they have deployed security products and are subscribing to the latest threat intelligence services. They generally outsource detection and response functions to a managed security provider, who can fill the gap in security expertise (people) and can customize the forensics analysis and incident response (processes) to suite the business needs of the customer.
Small and medium-sized businesses rely on the AWN CyberSOC to proactively protect them against the latest advanced threats including this latest strain of ransomware. On May 12th, Arctic Wolf immediately updated the custom rules in our CyberSOC to detect the indicators of compromise outlined by all industry research that had been done, including our own research. We are continuously monitoring our customer networks for any variations of WannaCry to ensure that their networks are protected 24×7.
Arctic Wolf Networks, a leader in Managed Detection and Response, delivers a SOC-as-a-service to protect small and medium-sized businesses against any form of advanced threats, including the latest strains of ransomware like WannaCry.