menu
FlowTraq > Blog > Cyber Threat Hunting Tips > WannaCry Ransomware Cyber Attack: What You Need To Know

WannaCry Ransomware Cyber Attack: What You Need To Know

By | May 15, 2017


Facebooktwitterlinkedin

On May 12th, 2017, a widespread global ransomware attack began traveling through vulnerabilities in the Windows operating system. It has struck over 150 countries and a broad range of industries. More than 45,000 attacks have been recorded so far, ranging from UK National Health Service to FedEx.

It has yet to be discovered who is behind the attack. However, a twenty-two-year-old cyber security researcher registered a domain name hidden in the malware which has currently stopped the spread of the attack. This has given organizations in the US more time to develop immunity to the attack. The attack is likely not over. Cyber criminals often change the code and start again. Microsoft released a patch (a software update that fixes the problem) for this window operating flaw in March 2017, but pirated programs and computers that have not installed the security update continue to remain vulnerable.

Since, it’s random, scattered and broad it’s hard to know where it may hit next. It’s important that all organizations are patching their Microsoft operating systems before they are infected.

What happens when your computer is compromised by ransomware?

After a security weakness, or a malicious link clicked from your email, the ransomware installs itself, and encrypts some or all of the files on your computer with a secret key, so you can no longer open them.

In order for you to un-encrypt your files so you can use them again, you must pay an amount of money to the attacker.  This is usually paid in bitcoin.  Once you have paid, the attacker gives you a key with which to unencrypt your files.  Keys are typically specific to your computer, so a different key must be used on each system that has been infected with ransomware.  

If you’ve been hit by WannaCry Ransomware, you’ll see the following on your screen: “Oops, your files have been encrypted!”  

What’s to be learned about WanaCrypt0r 2.0/WannaCry?

1.) Ransomware is a real threat, much like credit card theft, electronic banking hacks, and electronic espionage.  

2.) If you haven’t already, patch or disable Microsoft immediately. More information can be found here.

How can you protect yourself and your organization?

Your organization can protect itself by following the golden mantra of update, educate, and separate:

“Update”

Be vigilant about updating your systems. Do this religiously.

You may not always care about minor bug fixes or features but you should always keep major apps, programs and operating systems like Windows, browsers and PDF readers up to date. Setup automatic updates and/or calendar reminders.

“Educate”

Keep your leadership team, employees and users up to date on security best practices.

49% of data breaches are caused by malicious or criminal attacks, and 19% are related to employee negligence (Source: Cost of Data Breach Study by the Ponemon Institute.)

A lot of ransomware is simply emailed to people, and requires them to click on a link in order for the computer to be infected.  This is commonly called “phishing”. Once the user knows how to recognize links and attachments, and be distrustful of them, the changes of ransomware taking hold of your environment quickly diminishes.

Gain support from your senior leadership by knowing the business risks and consequences to the company in regards to data breach.  Ensure your employees are not using pirated software and that all software is up to date.   Educate and train your employees on how to handle confidential information and email safely. Commit to security best practices as an organization.

“Separate”

Architect your network such that it is much harder for an attacker to move around.

A strong firewall on the perimeter is worthless once the attacker and his/her ransomware are in the door, and has free reign inside.  So build a network of levies, so security breaches don’t spill over from one segment to the next.

Keep your network healthy — hunt for compromises daily.

When your daily defenses are in decent shape, hunt for compromises daily.  It is important to realize you are fighting a human attacker, who is smart about the defenses that you could have in place.

Collect flow data from all routers and switches in your network, and let a behavior anomaly detector do its work.  Collect logs from all servers, access points, and workstations.  Hunt for obvious malicious activity, investigate each anomaly, and watch for movement of large amounts of data on your network.

There is no such thing as a 100% secure network, but by just doing the legwork you are a long way on your way to keeping ransomware off your network.

Gain visibility on your network around the clock and set up alerts. Learn more about FlowTraq Cyber Threat Hunting.