Safeguarding your technology assets has become critical than ever before. Further to the global outbreak on Friday, many global corporations have reported ransomware infections involving WannaCry 2.0 and many others that use the same exploit as WannaCry 2.0
What is ransomware?
Ransomware is a type of computer malware that encrypts files, disks and locks computers. The hacker then demands a ‘ransom’ for a decryption tool or key. The ransom has to be paid within a stipulated time in the form of bitcoins. Currently, 1 bitcoin is US$ 1734.76.
In our previous blogpost in January 2016, Ransomware malware: a rising threat to businesses, we highlighted how ransomware is turning out to be a nightmare for companies that have, in many cases, previously encountered the repercussions of a simple virus attack.
It is believed that an estimated 30% of ransomware victims pay hackers to regain their data.
WannaCry 2.0 appears to have exploited a vulnerability, for which a ‘patch’ for the operating system was released in March 2017. This patch fixes a vulnerability in the Server Message Block (SMB) service, which is used to share files and printers across local networks and was exploited by the hackers wherever the patch was not applied. WannaCry uses the system’s AES-128 cryptosystem to encrypt the data and without the correct decryption key, the user cannot access the data.
It is also known as Wanna Decryptor, WanaCrypt, WCry and WanaCrypt0r and encrypted files extension are changed to .wnry, .wcry, .wncry and .wncrypt.
What can you do if you system is already infected?
If you notice this message on the screen on your computer or the file extensions of important files have changed, then unfortunately you are a victim of this ransomware.
Source: EY research
You can undertake the following steps immediately to mitigate the impact:
- Disconnect all network connections and external storage immediately
- Shutdown the computer and inform your IT teams
- Do not pay any ransom to the hacker as this fuels the illegal ecosystem and there is no guarantee that you will get the data back. Consult legal, forensic or cyber experts before making a decision.
- Safeguard and keep your backups ready before experts assist you
To mitigate businesses falling prey to cyber criminals, EY Fraud Investigation & Dispute Services launched a Ransomware defence and remediation tool (Radar 360) in 2016 which is directed at protecting digital assets (computers and laptops). The unique solution assists in mitigating potential attacks as well as recovering encrypted data.
EY’s Radar 360 has two main components on the proactive and reactive sides. The ‘Defence’ module protects computers against ransomware and malware. The framework called ‘EY Radar defence diagnostic’, assists businesses in measuring and rectifying issues. These may relate to procedures, technical controls and overall awareness to deal with such complex cybersecurity threats, along with setting up an incident response plan. The ‘Reactive’ module, ‘EY Radar remediation’ recovers lost data after a ransomware attack.
On EY Radar 360, Roger Tyler, Chief Executive Officer, Blink Medical, a high-tech medical device manufacturer in UK said, “Ransomware is a serious threat that can disrupt business operations. We engaged EY to help us implement necessary technology and processes to protect our business operations from such cyber threats. By using EY’s unique solution, Blink Medical has been successful in dealing with ransomware and protecting our business against such complicated threats. We are now prepared to effectively deal with and respond to such incidents in future.”
Here are some indicators of compromise (IoCs) related to Wannacry 2.0 that can be used for threat management.
Source: EY research
If you are not a victim of ransomware, don’t breathe a sigh of relief just yet! Cyber-attacks will continue to escalate and companies can take preventive steps to protect their IT assets against this malicious infection. Some of the key steps to protect the company against ransomware include:
- Block SMB port access and RDP (Remote Desktop Protocol) to all computers from the internet. Port 445 and 139 for SMB and 3389 for RDP should be blocked.
- Block SMB for the time being within the company through a group policy or other endpoint security solution
- Stop granting any privilege escalation requests to users who want to run an unknown program as an administrator
- Ensure all software for operating systems are patched. Any unsupported or outdated operating systems should either be upgraded or re-configured to stop SMB and RDP.
- Issue a notice to all employees to not open unknown attachments and emails and if in doubt, read emails on their mobile devices without opening the attachments
- Disable office macros through a group policy
- Make sure all backup solutions are safe guarded. Encourage users to backup their data immediately on a removable and encrypted hard drive and keep it in a safe place and not connected to the computer. No IT administrator or employees should have backup drives mapped to their computers with write access. Only the backup software should have a unique user account with write access to the backup media and users should only have read access to backup media.
- Make sure each endpoint and server has latest version of a reputable endpoint security solution with latest definition updates
- Enable scanning of all attachments at your endpoints and email gateways
- Disable uPNP on all your gateways, firewalls, routers and proxy servers
As a user, you can do the following to protect your system:
- Disconnect from the internet and take a backup of all your data on an encrypted, removable hard drive. Disconnect the hard drive and keep it at a secure location after the backup is completed.
- Do not open attachments from unknown sources and do not download or open unauthorized software
- Do not check your personal email on company computer as most free email services will not have advanced security scanning of attachments
- If you suspect any unusual hard drive activity on your computer, immediately shut it down and notify your IT administrator
- Do not enable macros on office documents and watch out for warnings and alerts