Update on WannaCry Ransomware attack

As you may have heard, there was a massive cyber-attack which began this past Friday. It affected many organizations around the world. It shut down hospitals in England and even affected FedEx shipping. This attack has been called WannaCry and it has been asking for a $300/computer ransom to unlock files. We have been monitoring the situation and wanted to give you anupdate on what’s happened and what (or what not) to do.

What type of attack was this?
This was a two-part attack. A virus exploited a previously-unknown security hole in Windows XP, 7, and 8/8.1. The virus then spread through the network and installed Ransomware, which locked users out of their computers. The attackers have demanded a $300/computer ransom to decrypt the files.  Windows 10 does not have the security hole, but the virus can still spread through the network to a Windows 10 pc after the initial attack and encrypt it.

How did they get in?
The attackers sent out emails to people all around the world with links to a file hosted on DropBox or other file sharing site. These spam emails utilized social engineering attacks by pretending to be banks, PayPal, eBay, email administrators, and other “appeals to authority”. They claimed that you needed to reset your password or download a document that contains instructions for resetting your password or that your bank account has been compromised, or any number of other tricks. The password reset link or the attached document would really be a link to the virus. The virus also spreads through a secret vulnerability in older versions of Windows without a user clicking on a link.  This direct attack affected networks with inadequate firewall policies.

What’s up with this vulnerability? I heard it has something to do with the NSA?
This vulnerability was previously unknown until a group of hackers allegedly stole software being used by the NSA to conduct cyberwarfare. As soon as Microsoft became aware of this vulnerability, they issued a patch for it. This patch was issued in March/April, but many computers around the world remained unpatched for various reasons. This security hole is so serious that Microsoft even released patches for Windows XP, which is no longer supported by the company.

How was this attack stopped?
The attack stopped almost as quickly as it began. Over 300,000 computers were infected in the span of 1 day. A security researcher analyzed the code and discovered that there was a secret killswitch built into the virus. Before encrypting a computer, the virus tried to reach out to a custom domain name. If it didn't receive a response, it encrypted the computer.  If it did get a response back, the virus shut itself down. The security researcher was able to purchase the domain name, which then shut down the virus. This was a lucky break.  Cyber criminals now know that this vulnerability works and they are already scrambling to write new viruses that take advantage of the hole and it's doubtful they will include a secret kill switch this time.

What is Cloud Media doing to keep my network safe?
We believe in a multi-layered approach to security. Each client is different, but in general, we have implemented strong network firewalls to prevent intruders from getting in. We use antivirus software that protects against viruses and detects and stops “encryption events”. Where we can, we have locked computers down and restricted network access to only the files that the user needs and we prevent users from installing software without administrator permissions. This is called the “least access” policy, which helps prevent viruses from spreading through a network. Finally, we recommend email providers (usually Office 365 or G-Suite) who have robust security measures built into their platform.

Is my network safe?

The honest answer is: probably. There is a lot we don’t know about this attack. There may be more attacks in the coming days. Cloud Media and its affiliates have been proactive in patching systems and locking down your network. In addition, your antivirus has advanced detection features that allow it to shut down any virus that attempts to encrypt your files. That said, no defense is 100% effective. This attack has shown us that there are new vulnerabilities out there that are difficult to account for. The security of your network is our top priority and we spend a lot of time researching the latest threats and developing plans to respond.

What can I do to prevent something like this?
The most important thing you can do is pay attention to email attachments and programs from the internet that you download. Do not download attachments from any emails you don’t recognize. Your bank, PayPal, Microsoft, Google, etc. will NEVER send you an attachment or any other document. They will also never ask you for  your passwords via email. If an email looks suspicious, delete it, call the sender for verification, or forward it to your IT provider for verification.

What’s plan B?
As I said, it’s impossible to predict and stop all threats all the time, but there is a Plan B. “B” stands for “Backup”. We have implemented backups and disaster recovery for your network, and we are rolling out additional options in the next few weeks. If the worst case happens, we can recover from backups within a relatively short period of time. We audit our backup solutions regularly and we will be performing an audit this week to ensure that your backups are up to date.  Please reach out to us if you have any concerns about your current backup solution!