Last week, the WannaCry ransomware attack caused at least partial shutdowns of operations at Britain’s National Health Service (NHS) and Spain’s Telefonica, as well as at FedEx here in the US.
Fortunately, 10Pearls was not affected by this ransomware, and our information (as well as the information entrusted to us by our customers and partners) remains safe.
When security incidents like these make the news, I feel it is valuable to touch base with our customers and partners to give an update and offer prevention tips. I’ve put together the following brief on ransomware and how it can be prevented, detected, and remediated. I’ve also included my analysis of what made this instance particularly newsworthy.
Ransomware attacks use a combination of techniques to attack your system and encrypt your files. The criminals behind these operations hold your information ransom in exchange for an untraceable, anonymous payment. This type of attack has been very successful and financially rewarding, so its frequency continues to increase and accelerate. Even if you make a payment, there is no guarantee you will get your files back. Remember: you’re dealing with criminals.
There are four main mechanisms for preventing loss due to ransomware: patching, anti-malware, awareness, and backups.
- Patching ensures that your system, and all the software running on it, is up to date. Ransomware uses security vulnerabilities to infect your system, so enabling automatic updates, or applying patches as quickly as possible, is the best defense against being infected in the first place.
- Anti-malware, or anti-virus, is hopefully a key piece of security protection on every individual’s computer. There are free and paid options, but just make sure they are kept up to date to detect the latest variants. Consider newer solutions that include messaging protection.
- Awareness is critical. People are usually the target, and ransomware criminals use “social engineering”–a fancy term for lying–to trick someone into clicking on links or attachments to spread ransomware. Individuals need to treat everything that comes to them with suspicion. Businesses should not only focus on force-feeding “security awareness training,” but raise awareness by giving individuals a chance to share their concerns and work together on better solutions.
- Backups are really the last and best defense for ransomware. An offline backup–one that is not accessible directly via a shared or attached drive–will allow you to recover your data after a ransomware attack. Sadly many businesses and individuals have lost a great deal of of money, time, and productivity to ransomware due to the lack of backups.
Detection and Response
How do you know when you’ve been subjected to a ransomware attach? Typically, a large banner appears across your screen, alerting you to the fact that your files have been encrypted. If this happens, you should immediately shut down your computer. You should also disconnect it from networks by unplugging network cables or turning off wireless. Organizations may be able to detect and respond to ransomware attacks at the network layer as well. Network-based anti-malware solutions, and outbound request filtering can be used to detect ransomware attacks and lessen their impact.
What Made WannaCry Different
Most ransomware spreads through “phishing,” which typically comes in the form of emails that look like something they are not. For example, an email that contains an attachment that says it is a tracking number for an order you placed–which does not line up to an actual order. The user that receives the email believes the email is authentic and opens the link or attachment it provides. In WannaCry’s case, it also spread over networks, using an almost two-month-old flaw in Windows operating systems. In this way, it spread without user interaction, and attacked a relatively recent vulnerability. This vulnerability was significant enough that Microsoft took the unusual action of providing patches for systems with expired support periods, including Windows XP and Server 2003.
Ransomware is making criminals rich. Untraceable currencies such as bitcoin have limited the risk that these criminals have in profiting from their activity. As a result, ransomware attacks will continue to accelerate, and the attacks themselves will become more complex.
Act quickly and make sure you and your organization are active in your prevention efforts–including patching, anti-malware, awareness, and backups–before it is too late. Businesses should also consider looking into cyber insurance, or at least reviewing their policies. A policy with the right protection can cover not only for the loss of data, but the business interruption due to a ransomware event.
10Pearls has helped reduce risks related to information security for numerous businesses. We would be happy to speak to you about your challenges and help protect you from potential breaches. Please feel free to contact us.