As you may be aware, a widespread ransomware campaign is affecting various organisations worldwide, with reports of hundreds of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages.
Information correct as at 15/05/2017.
The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours.
What Does It Do?
The software, known as ‘ransomware’, when deployed, will encrypt data on your computer, and display a warning (shown above) advising that you need to make a Bitcoin payment equivalent to approximately £240, in order to release your data and remove the software.
How Does It Spread?
Unlike most viruses and malicious software, this variant does not appear to be transmitted over email. Nor does it require you to click a file or an attachment to launch the virus. Instead it relies on a security vulnerability in the Microsoft Windows operating system, which allows the virus to spread in seconds, from one computer to another. This requires that the computers concerned be connected on the same network. (LAN or WAN). This is how the software was able to spread throughout the NHS in a matter of hours, as the NHS computers system is essentially one massive network.
Is My Business at Risk?
If you have a decent, business-grade firewall, there should be no way for this software to gain access to your network from the outside. However there is a number of precautions which should be observed, regardless of this. It is quite possible that a new variant of the software which relies on email or accidental downloading of a file in order to initiate its attack. This would breach any firewall you have in place. For this reason is is vital that you make sure all individual computers on your network do not suffer from the vulnerability, this means they must be fully patched and up to date with all Windows updates. In the case of the NHS, it is thought that the initial infection may have been delivered “in person”, or through a targeted social media link, or possibly a weakness in a firewall. This is not yet known.
I thought only Windows XP was affected?
No. News coverage has been focused on old Operating Systems like Windows XP, being used within the NHS. However newer operating systems are also affected. The difference is that newer Operating Systems (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016) will have received the required security updates in March, assuming automatic updating has not been disabled.
Windows XP went out of support in 2014, meaning it has not been receiving such security updates. However due to the high risk posed by this threat, Microsoft has made the unusual step of releasing an update for its unsupported systems (Windows XP, Windows Server 2003, Windows 8). These are available to download here: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
How Can We Avoid the Software (and be prepared for the worst)?
These rules apply generally, and are not specific to this particular piece of malicious software. If you are running a business, and rely on your data (which you do!), then these rules must be adhered to!
- Don’t run any machines on Windows XP. If you still have old computers in regular use, with Windows XP on them, upgrade or replace them.
- Ensure that your computers are receiving Windows updates. If you have Windows 7, this video shows you how: https://www.youtube.com/watch?v=qVNqH1SaoRA If you have Windows 10, follow these instructions: http://www.thewindowsclub.com/check-for-updates-in-windows-10
- Make sure you have a firewall in place. If you have a server or even just a couple of computers in the same place, you should have a business-grade hardware firewall in place.
- Never follow a link, or open an email attachment that you are not expecting. Even if it looks like it came from a recognised sender, it could be ‘spoofed’.
- Always ensure that you have a full and thorough backup procedure in place.
- Ensure you have a decent Anti-Virus system in place, and that it is up-to-date.
What If I am Infected?
OK, well don’t pay the ransom, that’s the first thing. There is no guarantee that your data would be released (these people probably don’t have the same moral code as you). Also you are effectively funding crime. There is no known way to decrypt data, so the only solution requires that your PC be wiped / reinstalled, and any data recovered from a backup, hence the importance of item 5 above!
Will my Anti-Virus System Spot It?
If it’s up-to-date, and running, yes. As of late on Friday 12/05/2017, most Anti-Virus software manufacturers including Sophos had released updates to their detection engines. One of the reasons for the rapid initial spread was due to the fact that Anti-Virus manufacturers had not yet updated their rules (a Zero-day exploit). This highlights why you cannot completely rely on your Anti-Virus software!