A malicious software called ‘WanaCryptor’ hit the NHS this past Friday. The ransomware caused hospitals across England and Scotland to cancel operations, delay routine practices and divert ambulances, while patient records were made unavailable as infected computers were on lockdown until ransom was paid.
Other high profile targets included FedEx, Germany’s national railway, Telefónica along with many of Spain’s largest companies, and private and personal computers across the world. Once infecting the PC, the software locks up the data and the device, and holds it for ransom.
To make matters worse, this software has the ability to spread within networks to infect PC after PC. As of this blog post, over 230,000 computers in 99 countries worldwide have been infected, and though 22-year old British security researcher MalwareTech was able to trigger a kill-switch that significantly slowed down the ransomware’s spread, the infection is still on the rise.
WannaCryptor, also known as ‘WannaCry’, takes advantage of a Windows SMB exploit to target computers running on unpatched or outdated versions of Windows. The SMB exploit was discovered in the leaked collection of hacking tools, purportedly created by the NSA and exposed in a data-dump by the hacking group called The Shadow Brokers last month.
This vulnerability was first revealed as part of a leaked collection of NSA related files and documents that detected this as a method of infecting Windows PCs, encrypting data and demanding payments in order to provide the decrypting key. WannaCry has a strong encryption which uses the RSA 2048-bit cipher to encrypt files and data, a slow yet unbreakable method.
Once on the PC, WannaCry locks up the device, encrypts data, and demands Bitcoin payments. As reported, the payments begin at $300 and the software destroys files within hours if the payment hasn’t been received.
Microsoft released a patch for this flaw back in March, but users and network admins who didn’t update their systems were left vulnerable. Since the attack, Microsoft announced a quick fix for computers using older operating systems, but the bottom line as-of-the-moment is: be careful what you click on, for it could be malware.
What can organizations do to protect themselves?
As this isn’t the first ransomware attack, this certainly won’t be the last. You can significantly reduce the risk of being infected by ransomware by taking the necessary computer security steps, and this includes keeping your software and operating systems up to date. Even the little updates are vital, and should be installed ASAP. But the focus now is to ensure that all systems have been patched against MS17-010 vulnerabilities.
Block TCP/445 traffic from untrusted systems or, If possible, block 445 inbound to all internet-facing Windows systems. Additionally, the malware itself leverages Windows SNB, as it allows computers to share information and communicate, you can block the SNB altogether.
Furthermore, maintaining a full backup of all systems is another solid way to ensure your protection against ransomware attacks. Backups are the only full mitigation against data-loss due to ransomware. However, bear in mind that backing up on a single sign-on platform (such as Dropbox) may not be the right choice, as it remains open and files may easily be stolen or deleted.
And for organizations looking to effectively keep safe from the attacks to come, the most effective way is by incorporating security throughout your software’s development lifecycle. By doing so, your deployed apps are developed with security in mind and you’re ensuring that they are secure upon release.
Click here to learn more about a secure SDLC and here to learn how Checkmarx can help.