What AV Integrators Should Know About WannaCrypt
This story has been updated to include advice from security expert and X2Go project lead Stefan Baur.
Last week, a group of hackers released a nasty piece of ransomware that quickly spread across the world, touching anything and everything connected to a network. Deemed WannaCrypt (or WannaCry), the ransomware infected thousands (approximately 200,000, according to NBC) of computers in thousands of countries and in particular wreaking havoc in Europe, where many medical institutions — including the UK’s National Health Service, schools, government institutions and businesses were essentially shut down. One AV/IT victim was Deutsche Bahn, German’s state railway operator, which had a digital signage network alerting passengers to train schedules that went down.
Once inside a system, all user files became encrypted and inaccessible to the owner, essentially held hostage, hence the term ransomware. To get the files back unencrypted, a user has to send $300 worth of bitcoin (an untraceable digital currency) to a certain account within three days. After three days the price doubles to $600. On the seventh day, all the files are deleted forever. The list of file types the code could encrypt was extensive, but included .doc files and most media files types such as .mov and .jpg (you can see the list here), so it would cripple most users who became infected. Pretty nasty, huh?
Fortunately, the spread of the attack was halted when a British cybersecurity researcher registered a domain he found hidden in the code in order to track the attack. The registration actually stopped the spread of the malware altogether, since it relied on connecting back to the domain and receiving no response in order to encrypt the files. If you’re interested in learning more about how the attack was stopped in such a seemingly simple way (it’s not), read the blog by the 22-year-old engineer, known primarily by his online handle MalwareTech, who unknowingly halted the spread. This was an extremely lucky break for everyone (except the purveyors of WannaCrypt, of course).
One of the reasons this attack spread so much further than other Ransomware attacks was because it took advantage of two exploits in systems running Windows that allowed remote attacks and remote control — codenamed “EternalBlue” and “DoublePulsar” respectively. Most ransomware attacks rely solely on phishing techniques, such as getting a user to click a link, in order to infect a computer. These vulnerabilities were identified earlier this year and on March 14th, Microsoft released a patch that fixed the vulnerability.
The threat isn’t over, however — the ransomware could reemerge at any time with a few alterations and any system without the patch would be vulnerable.
What You Should Do Immediately
- Run any and all security updates, if you haven’t already, on all computers, phones and everything you have connected to the Internet for your company. Windows computers running Windows XP, Windows 8 or Windows Server 2003 are extremely vulnerable and need to be updated immediately. More information on how to protect systems using Windows, including a link to the security update that should be installed, can be found here. Microsoft says Windows 10 was not vulnerable to the attack.
- Call your clients and make sure they have done the same, especially if you know they are running systems that use Windows at all.
- Consider offering to come to clients’ businesses and run software and firmware updates on all equipment (you can charge for this service!). How many pieces of AV equipment are floating around out there that don’t have the latest firmware?
What You Should Do After That to Protect Yourself and Your Clients
- Install security updates regularly to all systems. This includes not just software updates, but also firmware updates. If you don’t want to make them automatic, then you should be checking for updates and completing the installs regularly. Out of date devices are a huge vulnerability.
- Train staff and clients regularly in how to recognize phishing attempts. Phishing attempts have become more sophisticated of late and tricking even Internet savvy users. Earlier in May, a convincing email that looked like an invitation to see a shared Google doc made the rounds, and it wasn’t just grandmas who clicked the links and got infected. Regular training is key.
- Use strong spam filters to stop employees from ever even seeing phishing attempts. Use firewalls and anti-virus software.
- Back up files regularly, both to the cloud and locally to another hard drive.
- Have a prepared worst-case-scenario recovery plan in place in the event that something in your network does become infected.
- Whenever possible, at your own company or in designing systems, consider using operating systems other than Windows, which has consistently been the most vulnerable to attacks.
Here’s some additional info on steps businesses can take to protect themselves. Much of what I’ve described probably sounds obvious, but without a protocol in place to do these things regularly, they easily fall by the wayside, even to the large businesses. Just ask the U.K.’s National Health Service or Russia’s Interior Ministry. Now is as good a time as any to review procedures and put a plan in place.
- Don’t run Windows when/where you don’t have to. Depending on your area of work, there will probably be some apps that are only available for Windows. That doesn’t mean you have to use Windows for everything else as well, though. Solutions are available that allow you to display single Windows applications coming from a remote server on the screen of a Linux or macOS machine (Citrix, etc.), as well as for the other direction: Displaying a remote Linux application on a Windows or macOS screen (this is what X2Go [and others] does/do).
- Don’t go all Linux, either — diversity is the key. Run some macOS systems here, some FreeBSD there… whatever does the job best. This minimizes the chance that you’ll experience a total meltdown due to an exploit hitting you, as they are usually operating-system- or application-specific (think Microsoft Office).
- Keep systems that require different levels of security (customer/patient data, company data/intellectual property, internet) on separate networks. With the current attack, the pictures spreading on Twitter hint at Deutsche Bahn (Germany’s largest railway operator and infrastructure owner) having placed those infoscreens on their production network and joined to their regular Windows Domain (though we have no solid proof for that yet) — and from a security standpoint, that’s one of the biggest mistakes you can make, and an easily avoidable and totally unneccessary risk to take.
- When I say “separate networks,” I mean it. Don’t even use VLANs. Use separate switching and routing hardware. VLANs are a valuable tool when you have to manage large networks, but they are not a security measure. Yes, more hardware means higher expenses, but everything else will come back to bite you in the long run.
Unfortunately for those infected by WannaCrypt, no one has figured out to decrypt files yet, and security experts are scrambling to get systems back up and running. The only solution is to completely wipe infected systems and restore from an offline backup.