Monday, 15 May 2017

As we start Monday, organizations are likely having the same conversation after hearing about a major Ransomware attack over the weekend. What happened? What is WannaCry? Are we exposed? 

The WannaCry ransomware has exposed an ugly truth with IT security. When the basics are ignored due to putting off important updates or not wanting to spend money on anti-virus protection.

So, what happened?

The WannaCry Ransomware is a type of malicious software that blocks access to a computer or its files, demanding money to unlock the files.  Friday’s attack encrypted more than 200,000 computers in more than 150 countries, demanding a payment of $300. Researchers say payments won't help, as there is no way to actually track who has paid the ransom, and the decryption process requires personal interaction with the attackers. It's best to assume the files are lost unless there is a backup.

Making things worse, in addition to leveraging an exploit stolen form the NSA, Friday's attacks also included the installation of another stolen NSA tool – Double Pulsar – which leaves infected systems encrypted and exposed to remote attacks.

Warning for Monday: If you turn on a system without the MS17-010 patch and TCP port 445 open, your system can be ransomwared.

At the time of writing this, they have collected $53,453.58 USD in payments since Friday.

Updates, patches, anti-virus and blame

While Microsoft had released updates to patch the NSA exploits targeting SMB in March. However, these updates were for Windows Vista, Windows 7, Windows 8.1, and Windows 10, along with Windows Server 2008-2016. It was late Friday that Microsoft released patches for Windows XP and Server 2003. As solid paid anti-virus that blocks Ransomware would have also worked in preventing the spread.

Patching isn't a silver bullet

With many organizations like the NHS relying on Windows XP, which was discontinued from Microsoft's update cycle last year. Patching these systems is not always an option as they may have be relying on expensive medical devices that are using software not compatible with latest version of WIndows.

The silver lining

Most anti-virus vendors and endpoint protection vendors will detect Friday's variant of WannaCrypt, so new infections should be easier to flag. However, this doesn't mean the worst is over. Additional attacks are expected, which is why patching, disabling SMBv1, backups and paid anti-virus are so vital.

The WannaCry ransomware had slowed by late Friday partly due to a researcher who discovered the kill switch. All he had to do was register a domain because if the domain responds, WannaCry doesn't spread. Another variation on Sunday was stopped using a similar domain.

Kill Switch from Friday:
Kill Switch from Sunday:

Remember, payment won't recover the encrypted files. If backups aren't an option, you'll have restore the system and keep infected hard drive with hopes that there will be a decryption tool available in the weeks or months ahead.

Please ensure you update your system and have solid paid anti-virus. We recommend MalwareBytes Anti-Exploit ($49.95) and ESET Internet Security ($59.95).

Subscribe by email

Enter your email address:

Subscribe to more feeds

Trending Posts

Blog Archive


News (65) Web Hosting (48) security (25) Email (19) webmail (19) Advertising (15) Thexyz Cloud (14) Tutorials (13) Video (4) resellers (2)