The recent Ransomware attack is a timely reminder of the importance of data and cyber security.
In the wake of the Wana Decryptor/WanaCryptor Ransomware cyber-attack infecting a huge number of organisations across the globe, businesses have no doubt been left wondering how such a devastating incident could occur and what they need to do to protect themselves against future events.
The vulnerability was claimed to be leaked by a group known as the ‘Shadow Brokers’, a Russian cyber group claiming to have leaked the National Security Agency’s (NSA) hacking tools in April. One of these tools, known as “Eternal Blue” is the method of infection in this incident.
The NSA developed its “Eternal Blue” hacking weapon to gain access to computers used by terrorists and enemy states, but in a twist, the Shadow Brokers stole this hacking tool. The gang in turn ‘dumped’ the information online on April 14, and it was subsequently picked up by a separate cyber gang which used it to gain remote access to computers, including systems that brought parts of the NHS to a standstill.
Well over 200,000 computers across 100 countries world-wide in just two days were affected, with some of the later version able to take over hundreds of thousands of unpatched computers without any disruption.
To date, the criminals behind the Ransomware attack have received around 100 payments from suspected victims, seen to total 15 Bitcoins, or £20,242.07 – a figure which is set to increase over time.
The domain used by Ransomware was responsible for keeping WannaCry spreading. Fortunately a security researcher by the name of ‘MalwareTech’ registered the domain and created a sinkhole – a tactic researchers use to redirect traffic from the infected machines to self-controlled system which brought a halt to the attack by a type of ‘kill switch’.
Despite this measure, it appears that further repercussions could be felt as it is being reported that the cyber criminals have launched “WannaCry 2.0” with no ‘kill switch’ functionality. The attack leverages the Windows SMB exploit to target those computers running on unpatched or unsupported versions of Windows and servers spreading itself like a worm to infect other vulnerable systems in an internal network.
It appears that new and improved variants are now appearing. Costin Raiu, Global Research and Analysis Director at Kapersky Labs has reported the arrival of WannaCry 2.0 variants without a kill-switch function. It is expected that further Ransomware attacks are imminent that would be difficult to stop until all vulnerable systems are patched.
Protect your organisation
Users and organisations have been strongly advised to install available Windows patches as soon as possible, and consider disabling SMBv1 to prevent similar future cyber-attacks. Additionally, Microsoft has released an update for older operating systems that are no longer officially supported, such as Windows XP, Windows 8, and Windows Server 2003. The update can be downloaded from here.