Learn more about the recent ransomware attacks and how you should respond. 

By: Steve Snelgrove
Security Analyst
You may have heard about the massive cyber-attack that happened on Friday, involving ransomware and Windows systems. Many organizations were affected by this attack and many more are still vulnerable.

Here are a few answered questions about the WannaCrypt attack and what your business should do to combat it.

What happened?

On May 12, WannaCrypt, also known as WannaCry, was used in a very large cyber-attack that affected over 150 countries. Victims were told they could free their machines by paying the equivalent of US $300 in Bitcoin. The ransomware threatened to delete the files within 7 days if no payment is made.

Since then, the situation has been stabilized and the feared second wave of attacks has failed to happen.

The attack was contained by Marcus Hutchins, also known as Malware Tech, who registered a domain name to track the virus, which then stopped it from spreading. Since the malware relied on making requests to domains and ransoming the system when the connection wasn’t made, registering the domain essentially stopped the ransomware from spreading further. 

This sinkholing of the malware has stopped the rate of infection, though Hutchins warns that it may be only a temporary fix.

How does WannaCrypt spread?

The ransomware spreads through a vulnerability in the Server Message Block in Windows systems. The creators of WannaCrypt used the EternalBlue exploit and the DoublePulsar backdoor to create an entry in Windows systems.

Additionally, the malware was also spread through social engineering emails that tricked users to run the malware and activate the worm-spreading functionality with the SMB exploit. The malware itself was delivered in an infected Microsoft Word file that was sent in the email.

Who is affected?

Organizations that use Windows systems and have not yet patched the vulnerability are vulnerable to this attack.

Over 230,000 computers in 150 countries were crippled worldwide. Healthcare organizations in particular were affected by this ransomware, including many National Health Services hospitals in England.

What should organizations do?

WannaCrypt affects all Windows systems that haven't been updated to the latest version, or haven't had the vulnerability patched.
If you have a Windows system, update it as soon as possible.
You should stop using older versions of Windows right away.

If you have been attacked, experts advise that you don’t pay the ransom, since there is no guarantee that the hackers can even decrypt the encoded files after receiving the ransom payment.

It’s important to know that this attack likely won’t be the last one of its kind. This strand of ransomware attacks was released about two weeks ago, and it’s expected to increase through copycats.

SecurityMetrics is working on a solution that helps its customers identify whether or not their networks have communicated with known bad sites, which may lead to malware like ransomware. If you’re interested in learning more about this solution, email beta@securitymetrics.com

Need help with data security? Talk with one of our consultants!

Steven Snelgrove (CISSP) has been a Security Analyst at SecurityMetrics for over 7 years. Since 1980, Snelgrove has worked in the computer and telecommunications industry, and has familiarity with programming, software engineering, and network security. His current responsibilities includes the manual assessment of web applications and corporate networks, conducting ethical hacking to analyze security architecture, and consulting with organizations to help remediate issues. Snelgrove received a degree in Computer Science from Brigham Young University, and holds a CISSP (Certified Information Systems Security Professional) certification.