The WannaCrypt attack -- what we know and how to protect yourself
What seemed to have begun as just another ransomware attack hit the headlines last Friday (May 12th) when it began to attack hospitals and healthcare services in the UK. It became clear pretty quickly that this was in fact something much bigger however, with problems reported at businesses and government bodies around the world.
Infections by the malware known as WannaCrypt or WannaCry, began in Spain with the Telefonica telecommunications giant one of the first to be hit. It then quickly spread to the United Kingdom, Russia, Japan, Taiwan, the United States, and many others. In total, over 150 countries have been affected by the ransomware since Friday, according to Europol.
Some of the highest profile victims were the UK's National Health Service, the shipping firm FedEx in the US and car maker Renault in France. Microsoft responded by taking the unusual step of issuing patches for out of date operating systems to help users to secure their systems.
Details of the malware used have been released in a blog post by Recorded Future. This also notes the triggering of an in-built 'kill switch' by a security researcher going by the Twitter handle @MalwareTechBlog, by registering a domain name which the malware was set to check he was able to stop further infections. If the domain is present when WannaCrypt attacks it exits the system without damage.
Security experts have been quick to point out that this is a two-month old vulnerability and its impact has been down to organizations failing to keep their systems up to date. Ilia Kolochenko, CEO of web security company High-Tech Bridge says, "Many companies were infected because they failed to maintain a comprehensive inventory of their digital assets, and just forgot to patch some of their systems. Others, omitted or unreasonably delayed security patches. Last, but not least -- malware's capacity to self-propagate leveraged the lack of segregation and access control within corporate networks."
Over the weekend new versions have emerged without the kill switch. Stu Sjouwerman, CEO of security awareness training provider KnowBe4 says, "This means the attackers resumed their campaign even though the MalwareTech security researcher accidentally cut off the original wave. WannaCry's persistence is only the beginning. It is indicative of the sophistication of ransomware and its ability to severely impact critical infrastructures."
KnowBe4 also offers recommendations for protecting against the attack. These include checking firewall configurations to make sure no criminal network traffic is allowed out, and disabling SMB1 (Server Message Block) on all machines.
Installing Secure Email Gateway (SEG), to carry out URL filtering and make sure it's tuned correctly is also recommended along with patch endpoint, OSes and 3rd-party applications regularly. Endpoints and web-gateways also need to have next-generation, frequently updated security layers.
If a machine is infected with WannaCrypt or other ransomware it needs to be wiped and re-imaged from bare metal.
This attack should also be a trigger for enterprises to review their security procedures. In particular they need to identify users that handle sensitive information and enforce higher-trust authentication such as 2FA. Policies and procedures should also be tightened, specifically those related to financial transactions, to prevent CEO fraud. Finally employees need to be aware of and able to spot social engineering attacks via multiple channels, not just email.
Moshe Ben-Simon, co-founder and vice president of deception technology firm TrapX Security says, "The solution to avoiding and defeating these attacks is increased visibility. They will get in your networks -- but how will you know? You must be able to find these attacker tools in your network before they can encrypt and control your data. New best practices, especially in highly targeted industries such as healthcare, finance and manufacturing, suggest further movement towards technologies that can detect and then engage ransomware tools."