Since last Friday afternoon, every news media outlet has been monopolized by the “unprecedented cyberattack” that is “affecting computers worldwide” known as WannaCry. You may be wondering why this cyberattack was so newsworthy. After all, the news is filled with data breaches involving credit cards, electronic patient health information, and even nation states allegedly interfering with elections in both the United States and France. It is also likely that your organization has been impacted by a computer infected with ransomware that prevented you from accessing files until they were restored.
So why was WannaCry such a big deal? It spread. Fast.
Those of us in the cybersecurity field had not seen anything with this much potential for widespread devastation in over a decade. The authors of this malicious software (malware) took the already devastating impact of ransomware infecting a single computer to encrypt files to creating armies of computers within an organization to encrypt every user file they can modify. Cybersecurity experts had feared the potential of ransomware advancing to the next level for years.
The WannaCry infections likely started weeks ago but remained dormant until the malware author felt enough devices were infiltrated before remotely activating the spreading and encryption features. Once WannaCry was activated to unleash devastation, it quickly spread to reportedly more than 100 countries in less than 24 hours. Notable impact included 16 hospitals in the NHS that had to cancel surgeries, a large telecom company in Spain, and FedEx. The Japan and China were hit and reports indicated more than 300,000 computers had been infected.
The WannaCry malware only targets certain versions of Microsoft Windows. Once the Windows computer is infected, it reportedly crashes with the “Blue Screen of Death” (BSOD) or simply reboots the computer and displays the ransom note requiring $300 worth of bitcoin, an untraceable Internet currency.
Why not pay the $300? The ransom was $300 per computer. If your organization has 200 computers infected with WannaCry, that is $60,000 for the needed decryption keys. Even if you paid the ransom, there was no guarantee that your files will be restored.
Fortunately for most, the WannaCry “Kill Switch” was actually discovered by accident which arguably reduced the damage of WannaCry significantly. However, WannaCry 2.0 has been released and has no kill switch. And you can be certain that ransomware authors worldwide took note of the potential WannaCry exposed and are working diligently to capitalize quickly. Therefore, businesses of all sizes must take the appropriate steps to protect themselves.
In working with clients of all sizes and all verticals to build resiliency against ransomware and other types of malware, LBMC developed a comprehensive checklist that can be downloaded here. Many of the items listed are long-term remediation efforts. LBMC recommends that you take the following steps to protect yourself immediately:
- Ensure your backups are working properly
- Warn your users NOT to open attachments from unknown sources or from known sources that they are expecting attachments from
- Do NOT rely on Anti-Virus as the sole protection mechanism
- Patch all your Windows Systems Immediately to the latest level from Windows Update
- Patch third party applications such as Internet browsers, Adobe, Java, etc.
- Prevent the delivery of .exe files or .zip through your email system
- Disable “Active Content” (aka Macros) in Microsoft Office Documents
Malware isn’t new. Ransomware isn’t new. However, ransomware that can spread as quickly as WannaCry, and the copycats that are sure to come, can be devastating.