The global WannaCry ransomware highlights the importance of cybersecurity

May 16, 2017 at 10:30

As reported on May 12, 2017 a ransomware variant called WannaCry became quickly famous after striking various companies and organizations around the world. According to the latest estimates, the ransomware has hit over 230,000 computers in 150 countries being far and away the most severe malware attack this year and the largest global ransomware attack in Internet history. Even if the ransomware seems severe globally, the situation, however, is much different and under control in the Nordic countries due to the fact that the level of information security is higher in general.

Ransomware like WannaCry works by encrypting files on a user’s computer. Then, the software demands a ransom to be paid in Bitcoins in order to have the files decrypted. If the victim refuses to pay WannaCry will delete all of the encrypted files and all data will be lost.

What makes WannaCry so fast-spreading and unique, is the fact that it does not require any user interaction to activate the ransomware as it spreads from machine to machine as a worm-like trojan. It utilizes a malware technique that was common in the beginning of 21st century but exploits a fresh vulnerability in Microsoft Windows operating system. The usage of a worm feature is not surprising as it seems that the ransomware was put together by a bunch of amateurs that had utilized components developed by others or stolen by third parties from other sources such as NSA. All in all, it is quite visible that the attackers did not clearly understand the logic of the extortion business and the situation is not under their control; the WannaCry hackers have received lots of attention from authorities but only a little money from the ransomware.

How to prevent being infected by WannaCry?

The first version of WannaCry was identified in February and Microsoft released a patch for the EternalBlue exploit used by the WannaCry in March - nearly two months before the initial attack.  Unfortunately organizations that lacked this security patch were affected. Therefore, it is of utmost importance to make sure that all your devices are patched for known vulnerabilities periodically. If you haven’t updated your Windows software recently, do it now. Microsoft has gathered patches for all currently supported versions of Windows which can be found here.

Back to the basics

Even though WannaCry was amateurish, it's very likely that in the future, we will see more corporate-targeted ransomware campaigns with worm features. Cybersecurity threats are complicated to deal with and especially this type of ransomware, but there is a lot one can do to be prepared. Let’s begin by getting the basics in place when it comes to cybersecurity. By this way organizations have far better chances of fighting against malware such as WannaCry.

Make sure that you have taken the following steps:

  1. Ensure that all your devices have up-to-date antivirus protection software in use.
  2. Make sure that you take backups on a regular basis, store those offline and test recovery continuously.
  3. Keep the software on all your devices up to date to prevent exploits.
  4. Ensure that you don’t have internal systems and services, such as SMB that was exploited by WannaCry, exposed to Internet
  5. As a rule, don’t open email attachments that are sent by someone you don’t know. Also disable macro scripts of all Office files.
  6. Limit the use of browser plugins. Disable commonly exploited ones, such as Flash Player and Silverlight, when you’re not using them.
  7. Make sure that your company’ personnel has the needed information how to deal with cybersecurity.

In case you suspect a malware, execute a thorough investigation including manual analysis and real-time investigation of the data that flows between your systems and assets in order to ensure your environment is not affected nor compromised. It is utmost important to react to the anomalies with highest precision and professionalism, which is the key to success, when detecting advanced and targeted attacks.

Related blogs

Petya Ransomware - The Second Coming of WannaCry

Petya ransomware has already been around for months as a more traditional malware that spreads through e-mail. The new developments in this case involve the addition of tips and tricks taken from WannaCry ransomware, the last big thing that hit the world close to a month ago. Instead of just relying on e-mail, the malware now targets actual vulnerabilities in autonomous fashion. The exploit coined Eternal Blue is also involved here in helping the malware spread.

by Nixu CDC
June 27, 2017 at 10:30

Petya Ransomware – FakeCry and Warnings from Ukraine

Story of Petya ransomware was starting to calm down already after making rounds during last week. Now, however, it seems that the story isn’t over yet. In the slipstream of Petya infections in Ukraine, a new ransomware dubbed FakeCry is now spreading. The new ransomware seems to spread from the same MeDoc service which was suggested as one of the initial sources of infections for Petya.

by Matti Suominen
July 6, 2017 at 08:00

Petya Ransomware – Not Ransomware After All

Developments on the Petya ransomware case are getting more and more interesting. We have covered the case over last few days as more information has become available. What initially looked like a ransomware is starting to look more like a malware intentionally designed to destroy data. While the malware goes a long way to look like it wants your money, it now looks like there is no mechanism to recover the data when the ransom is paid.

by Nixu CDC
June 29, 2017 at 11:30

Petya Ransomware – After the Smoke Clears

Originally published at 8:30 EET on June 28, 2017
Note that this article discusses current on-going events and some information may have changed since publishing.

Like with many current cybersecurity incidents today, discussion around Petya (or NotPetya as some have dubbed the case) has the entire global security community involved in the discussion. Our initial thoughts on the matter were already posted earlier:

by Nixu CDC
June 28, 2017 at 10:30

Defending against cyber threats with Security Operations Center

During the last weeks we have been very busy reshaping our Security Operations Center (SOC) to be part of a modern cyber defense center – Nixu Cyber Defense Center (CDC) service – asking ourselves what it takes to detect and contain the modern cyber threats. Traditionally the cyber defense has been largely built on signature-based detection.

by Ville Hollanti
September 22, 2015 at 10:30

Cyber(security) Monday special on eCommerce

To honor Black Friday last week our security testers listed "top" five eCommerce related security findings, which we decided to adequately publish on Cyber Monday!

So here they are.

by Nixu Blog
November 28, 2016 at 10:30