On Friday, May 12, 2017, a malicious ransomware program known as WannaCry was discovered infecting computer systems all over the world. It set off alarms globally, and so far has infected over 200,000 computers across more than 150 countries. Victims include Deutsche Bahn (Germany’s train system), FedEx, Spain’s telecom system Telefonica, and England’s National Health Service. While a web security researcher fortuitously discovered a “kill switch” that appears to have slowed the spread of WannaCry, the speed and efficiency with which it has spread over just the past week has worried cybersecurity experts and again raised public awareness of ransomware and other cyber threats.
What is WannaCry?
WannaCry (aka WannaCrypt0r, aka WCry) is a malicious software worm that exploits vulnerabilities in computers running unpatched older versions of the Microsoft Windows operating system – essentially any version before Windows 10. Malware like WannaCry is called ransomware because it holds the user’s data hostage by encrypting the user’s hard drive and preventing the user from accessing data or programs on the infected computer. The hacker demands that the user pay a ransom in exchange for the encryption key to unlock the user’s hard drive. In the case of WannaCry, the hackers have typically demanded payment within a few days, via the digital currency Bitcoin, in an amount ranging from $300 to $600.
It is important to note that payment of the ransom does not guarantee that encrypted files will be restored; in fact, according to an alert from the United States Computer Emergency Readiness Team (US CERT), payment of ransom does not remove the malware from the user’s computer, and leaves the computer susceptible to a further attack.
To date, a total of 238 payments totaling $72,144.76 have been transferred to the three Bitcoin wallets identified by the WannaCry ransomware. Aside from the payment amounts, WannaCry has caused an unknown—and likely immeasurable—amount of business and economic disruption all over the world.
Where and How Did WannaCry Originate?
According to published reports, hackers behind the WannaCry malware apparently used a stolen tool reportedly developed by the National Security Agency (NSA) to exploit the weakness in the Windows operating system. The tool was one of many linked to the NSA that were leaked online last year, then finally decrypted in April for use by anyone with the requisite coding skills.
In light of this origin story, earlier this week Microsoft’s President and Chief Legal Office called out the practice of governments stockpiling software vulnerabilities, given the demonstrated risk that they will be leaked/stolen and ultimately cause far-reaching harm:
“…this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
Wow. (And on a similar note, two U.S. Senators have already introduced legislation — the “PATCH Act” — that would theoretically require government agencies to disseminate information about software vulnerabilities so that patches could be applied before the flaws can be exploited.)
Cybersecurity experts suspect that phishing emails are responsible for the initial intrusion of the WannaCry malware into many of the infected computers. Once infected, the WannaCry ransomware self-proliferates through a computer network by exploiting a particular vulnerability in the Microsoft Windows operating system. Even though Microsoft released a patch in March 2017 to address that vulnerability, the patch was not made available back then to many users still running older versions of Microsoft Windows such as Windows XP, which Microsoft stopped freely supporting in April 2014; compounding the problem, some users likely failed to install the patch when it became available. Since the spread of WannaCry, Microsoft has issued free security updates for older systems (including Windows 8 and XP) to protect against WannaCry.
How Do I Respond to a Ransomware Attack?
While users and companies in the United States—compared to those in other countries—have been relatively fortunate with regards to the outbreak of WannaCry, the threat still looms large. If your computer system becomes infected with ransomware like WannaCry, the FBI recommends that you (among other things):
Isolate the infected computer immediately.
Isolate or turn off computers that have not yet been infected, particularly if they are connected to the same network as an infected computer.
Secure backup data or systems and take them offline immediately.
If possible, change account and network passwords and delete registry values and files.
Contact law enforcement.
The FBI specifically requests that you report your ransomware incident by filing a complaint with the Internet Crime Complaint Center at www.IC3.gov and provide information certain information such as the ransomware variant, how the infection occurred, the Bitcoin wallet address, etc.
As for deciding whether to pay the ransom to regain access to the computer and data, that choice rests with each victim. Those who did not back up their now-encrypted data may feel compelled to roll the dice and pay the ransom in the hope that the encryption key will be provided in response. It bears repeating, however, that there is no guarantee that a ransom payment will result in regaining access to your data or computer. And once a business demonstrates a willingness to pay the ransom, it may encourage further attacks. As federal cyber cybersecurity experts at US-CERT have accurately noted: “Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.”
Another consideration for businesses is whether (or when) to involve legal counsel to address and respond to a ransomware attack. While not all situations call for attorney involvement, immediately retaining outside counsel may assist the decision makers of the company to consider the various legal and regulatory issues before acting, understand the ramifications of their decisions, and potentially benefit from the protection of the attorney-client privilege throughout the course of the investigation (and potentially as to future litigation regarding the incident).
How Can I Reduce the Risk of Ransomware?
While no Internet-connected computer system is ever completely secure, there are some steps to consider for better protecting your computers against ransomware malware like WannaCry. The cybersecurity experts at US-CERT recommend the following actions specifically for the WannaCry malware, but they also apply in general to help reduce ransomware threats:
Apply the Microsoft patch for the MS17-010 SMB vulnerability dated 3/14/17.
Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate in-bound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
Scan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.
Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
Disable macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications.
Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
Run regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical.
Test your backups to ensure they work correctly upon use.
WannaCry is not the first, and it certainly will not be the last, ransomware threat to individuals, businesses and their computers. Instead, WannaCry only proved that ransomware remains a persistent cybersecurity threat to every device connected to the Internet. As with other types of malware threats, experts recommend that the best way for you and your business to reduce the risk of a nightmare scenario like a ransomware attack—which would certainly make you want to cry!—is to stay informed, be alert and regularly undertake appropriate preventative steps.