Can You Protect Yourself from WannaCry Ransomware?
In a matter of hours, the WannaCry ransomware attack crippled nearly 300,000 computers across 150 countries. 48 British hospitals lost access to patient files and diverted emergency-room patients to other facilities. The attack hobbled systems at Spain’s telecommunications giant Telefónica, the Russian Interior Ministry, universities, banks and numerous other organizations, as well as home computers, all over the world.
An unlikely “kill switch” helped contain the devastation earlier than attackers would have preferred. But cybersecurity experts warn that it’s only a temporary fix. The biggest ransomware attack in the history of the Internet is likely not over yet, they say. It’s just beginning.
How to Protect Yourself from WannaCry Ransomware
Researchers are still learning new information about WannaCry ransomware, how it spread and what form it may take when the next attack occurs. Below, we uncover everything we know about this nasty malware so far. But first, it’s critical to make sure your systems are protected.
Protecting yourself from ransomware like WannaCry (also known as WanaCrypt0r, WannaCrypt, WCrypt and WCry) requires both immediate action and long-term business continuity planning.
Here’s what you need to do right now.
Steps to take protect against Wannacry ransomware: Immediate
- Patch your systems.
WannaCry exploits a known vulnerability in Windows operating systems, including XP, Windows 7, Windows Server 2003 and 2008. Windows released a patch named MS17-010 last March that effectively fixes the vulnerability (though the onus was on users to perform the update, which is why so many computers were left vulnerable). You can grab the patch from Microsoft here.
- Update your OS. Make it automatic.
If you’re on Windows, and you’ve been diligently keeping it up to date, then you should be safe. If not, update your system immediately. Keep in mind that this particularly vulnerability, which we cover in greater detail below, is just one security hole out of many that Microsoft discovers on a regular basis. This is why it’s so important to keep your OS updated and set updates to install automatically. That way your system receives these critical patches as soon as they’re available.
- Update and run Windows Defender.
As an added layer of precaution, Window’s built-in security software has been updated to automatically detect the ransomware. If you’re running Windows 7, Windows Server 2008 or earlier OS systems, you should download and update Defender immediately.
- Install and update anti-malware, anti-virus and/or anti-ransomware software.
Consider adding a dedicated ransomware blocker on your system, on top of your traditional anti-malware and anti-virus software. Many malware-protection solutions are not designed to detect ransomware, whereas software like Cybereason is designed specifically to block threats like WannaCry.
- Block TCP port 445.
If you’ve performed the steps above, then this isn’t completely necessary, but it’s a useful tip for those who want to do everything possible to block WannaCry ransomware. Since the exploit currently utilizes TCP port 445, blocking that port within your Windows firewall settings can provide an added level of security.
- Infected now? Shut down networked computers ASAP.
Like all ransomware attacks, if you’ve detected an infection on your network, you can potentially slow down the spread by removing other machines from the network or shutting them down. This may afford you some time to clean and patch the non-infected machines before files are encrypted.
- Configure access controls.
In a typical ransomware attack, the ransomware locks as many files as it can on the infected machine and other computers on the network. By configuring network share permissions and limiting user access to only the folders they need, you can prevent the infection from spreading. (However, in the case of WannaCry, machines could still be infected through the Windows vulnerability.)
Steps to take protect against Wannacry ransomware: As Soon as Possible
If you’ve taken all the immediate steps for protecting against WannaCry ransomware, it’s time to look at the larger picture. How can you ensure that such an attack won’t devastate your company in the future?
The threat of ransomware isn’t going away anytime soon. Organizations must be proactive about their business continuity planning, or else their data will remain at risk.
Here’s what you need to do in the long term (i.e. as soon as possible) to protect yourself.
- Deploy a dependable data-backup system.
After a ransomware attack, you have very few options for getting your files back: 1) pay the ransom (although there’s never a guarantee that you’ll receive the decryption keys as promised), or 2) restore a backup. If you haven’t been regularly backing up your data, then it could be gone forever.A good data backup system is thus a critical line of defense against an attack like WannaCry. In the event of an infection, you’d simply roll back to a recovery point before the attack occurred. Your data would effectively be restored, without having to pay a ransom. Even better: leading data-backup providers like Datto now have ransomware protection built in. This is an added layer of security that automatically detects an infection and alerts admins to restore a clean backup ASAP.
- Test your backups.
Already have a backup system? Perform a test recovery as frequently as possible to ensure that the system is working as it should. Backups are notorious for failure during recovery. With a test recovery, you can help ensure that you’ll be able to get your data back in a real-world event. Additionally, the test will help you determine if you’ll be able to meet your recovery time / point objectives (RTO/RPO). It’s also a good idea to run penetration tests against your network at least once a year, to identify any potential weak points.
- Educate personnel on cybersecurity threats.
WannaCry was different from other forms of ransomware in that it used a Windows exploit to infect computers, rather than a phishing attack or a malware-loaded email attachment. Still, employees should be properly trained on what to look for, how to identify malicious links and why it’s so important to adhere to the company’s Internet/email security policies.
Everything We Know about WannaCry Ransomware
Nearly two weeks after the global attack, new details about WannaCry are still emerging. Here’s what we know so far.
- No spam or phishing involved. Early reports said that WannaCry was likely the result of an aggressive spam campaign. However, researchers can now say with certainty that the infections originated from the Windows exploit known as EternalBlue.
- Backdoor malware. EternalBlue is a SMBv2 exploit that was dumped into the wild last month as part of a large collection of leaked NSA tools. According to Wired, “The method of exploitation it uses is known as HeapSpraying – by injecting shellcode into vulnerable systems, this allows for the exploitation of the machine in question. The code is capable of targeting vulnerable machines using their IP address … As it exposes these vulnerabilities in the machine, it works to search for backdoor malware DoublePulsar that has already been running undetected.”
- “A beacon to other potential SMB targets.” After one machine is infected, DoublePulsar sent requests to different systems to determine if they were vulnerable and to quietly withdraw files or deliver additional WannaCry malware. Thus EternalBlue “acted as a beacon to other potential SMB targets,” spreading malicious software to all connected devices at rapid speed.
- $300 ransom demand. Infected machines displayed the message “Oops, your files have been encrypted!” and requested $300 worth of bitcoin to restore access.
- Only $100,000 in payouts. Early estimates projected that the attackers might net more than $1 billion in payouts. But by the time the “kill switch” was activated, roughly only $100,000 had been added to the publicly visible bitcoin wallets associated with the attackers.
- An accidental kill switch. WannaCry was designed with a kill switch that would enable the malware to go dormant if it detected it was under scrutiny. In this case, it would do so by attempting to connect to a specified web address hidden in the code. But a 22-year-old cybersecurity researcher at Kryptos Logic noticed the random-looking domain was not registered. So, he registered it. And just like that, the threat of WannaCry was effectually neutralized and the spread was slowed to a crawl.
- Attempts to kill the kill switch. Attackers aren’t giving up. Almost immediately after reports that the kill switch had been activated, a sophisticated DDoS attack on the domain name began. According to Wired, the attackers “directed armies of zombie devices—webcams, modems, and other gadgets caught up in the expansive Mirai botnet—to funnel junk traffic to the kill-switch web address.” Researchers believe these attacks are from other groups of hackers, unconnected to the original WannaCry developers.
- Russia hit hardest. While infections were widespread, across multiple continents, the New York Times reported that Russian organizations were the worst hit, followed by Ukraine, India and Taiwan.
- WannaCry was developed to run in 27 languages. That’s the “type of development investment an attacker wouldn’t make if he were simply trying to target one hospital or bank. Or even one country,” says Wired.
- North Korea to blame? Experts have pointed out that WannaCry’s code is very similar to (and in some cases identical to) code used in other malware tools created by the North Korean hackers known as the Lazarus Group.
Researchers say the next big ransomware attack isn’t a question of “if,” but “when.” On Sunday, Fortune reported the discovery of a new strain of malware that would make WannaCry’s successor even scarier.
Coined “EternalRocks,” the malware is another exploit that allegedly originated at the NSA. “Like the original ransomware, known as WannaCry, EternalRocks uses an NSA tool known as EternalBlue to spread itself from one computer to the next through Windows,” Fortune reported. But it also uses six other NSA tools, with names like EternalChampion, EternalRomance, and DoublePulsar.”
This would all but guarantee that the EternalRocks-guided ransomware would spread even farther and faster than WannaCry.