Worldwide ransomware attack WannaCry hits NHS hospitals
16 May 2017
The WannaCry ransomware attack hit the world with a vengeance on Friday 12th May 2017, with the outbreak beginning in Europe, striking hospitals and other organisations, before rapidly spreading across the globe. As of 1:00pm Pacific Time, it is believed that more than 57,000 systems in more than 74 countries had been affected.
Following this global cyberattack that has now spread across over 150 countries and seriously affected organisations like the NHS, Prodec Networks’ IT Security Solutions Manager, Danny Williams, has posted the following message:
This is not a drill, or a phishing test.
We suggest you send the following to your employees, friends and family:
It’s been hard to avoid the news this weekend. Criminal hackers have released a new strain of ransomware that spreads itself automatically across all workstations in a network and has caused a global epidemic. If you or a co-worker are not paying attention and accidentally open one of these phishing email attachments, you might infect not only your own workstation but immediately everyone else's computer too. Be very careful when you get an email with an attachment you did not ask for. If there is a .zip file in the attachment, STAY CLICKCLEVER; do not click on it but delete the whole email.
Remember: "When in doubt, throw it out!"
Unknown cyber criminals have been spreading a strain of "ransomware" called WannaCry, also known as WanaCrypt0r 2.0, WannaCry and WCry. This form of attack is most commonly delivered via emails which trick the recipient into opening attachments to release malware onto their system. This technique is better known as phishing.
Once your computer has been affected, ransomware locks up your files and encrypts them in a way that means you’re unable to access them. It then demands payment in bitcoin in order for you to regain access. DO NOT PAY! Security experts warn there is no guarantee that access will be granted even after payment.
WannaCry exploits a vulnerability in Microsoft's Windows operating system. This vulnerability was patched by Microsoft on the 14th of March 2017, yet many organisations were yet to apply this patch. It’s very easy to miss these updates and patches, meaning vulnerabilities can remain open a lot longer than necessary, making it easier for hackers to get in.
If you have not done so already, harden yourselves against this Windows Network Share vulnerability and ensure that all systems are fully patched with the "MS17-010" security update (link below). Stay vigilant, and remind all staff to be CLICKCLEVER; think before they click when they receive any out of the ordinary emails.
In the meantime, there are four things to watch out for when it comes to detecting WannaCry:
- Check for SMBv1 use
- Check for an increase in the rate of file renames on your network
- Check for any instances of the file @Please_Read_Me@.txt on your file shares
- Check for any instances of files with these extensions:
If your network has been infected by WannaCry or other ransomware, what should you do?
The WannaCry ransomware strain cannot be decrypted with free tools. Research shows the encryption is done with RSA-2048 encryption. That means that decryption will be next to impossible unless the coders have made a mistake has not been found yet.
Your best bet is to recover from backups, and if your backup fails or does not exist, try a program like Shadow Explorer to see if the ransomware did not properly delete your Shadow Volume Copies. If a user did not click "Yes" at the UAC prompt, there's a chance those are still available to start the recovery.
This is a bad one. Let's stay safe out there.
Prodec Networks offers a full portfolio of security solutions designed to keep you and your business safe from the threat of ransomware. For more information, please do not to hesitate to get in touch or feel free to check out www.clickclever.co.uk, a library of insightful resources that have been created to help protect your business from cyberattacks.