The worst of the WannaCry ransomware attack that started Friday and spread around the world may be over, but there are still variants of the malware roaming the internet, looking for unsuspecting victims.
The attack is the kind of global ransomware-based event that is the stuff of cybersecurity experts’ nightmares. As expert Troy Hunt notes in a blog post about the attack, interest in ransomware has been on the rise, but especially since early 2016.
The WannaCry attack, which uses malware stolen from a National Security Agency cyberweapon, underscores the need for businesses of all sizes, but small businesses in particular, to patch their vulnerabilities and make sure that their data is adequately backed up and protected. It also highlights the need to continually educate users about best practices to keep their data safe.
As of Sunday, the cyberattack had struck more than 200,000 computers in more than 150 countries, according to Rob Wainwright, the executive director of Europol, Europe’s police agency, The New York Times reports. The attack, which locked users out of their systems and networks and demanded a ransom of $300 worth of Bitcoin digital currency, crippled hospitals, businesses and government agencies.
There was no evidence on Monday of a second wave of attacks like the one that hit Friday, the BBC reports. Over the weekend, a 22-year-old cybersecurity researcher from England named Marcus Hutchins discovered and inadvertently activated a “kill switch” buried in the malware’s code. A new variant of the WannaCry attack surfaced on Monday, according to cybersecurity firm Check Point Software Technologies, but the firm stopped it by using the kill switch, Reuters reports.
The U.S. Computer Emergency Readiness Team sent out an alert on Friday warning about WannaCry, which exploits vulnerabilities in Server Message Block 1.0. As Forbes reports, according to CrowdStrike's vice president of intelligence Adam Meyers, WannaCry initially spread via email spam, “in which fake invoices, job offers and other lures are being sent out to random email addresses.” And “within the emails is a .zip file, and once clicked that initiates the WannaCry infection,” Forbes reports.
CERT warns that users should “be careful when clicking directly on links in emails, even if the sender appears to be known; attempt to verify web addresses independently (e.g., contact your organization's helpdesk or search the Internet for the main website of the organization or topic mentioned in the email).”
Users should also “exercise caution when opening email attachments. Be particularly wary of compressed or ZIP file attachments,” CERT cautions. The agency also says users should “follow best practices for Server Message Block (SMB) and update to the latest version immediately.”
Microsoft issued a patch against the vulnerability WannaCry exploits in March. However, users of older systems, whose software is no longer supported by regular security updates, need to pay Microsoft for “custom support” to get patches. However, on Friday, to inoculate users against the spread of WannaCry, Microsoft took the unusual step of issuing downloadable patches for customers running these older platforms — namely Windows XP, Windows 8 and Windows Server 2003.
Hunt notes that users should not turn off automatic security updates, because those updates delivery critical patches.
There has been a brisk debate over who is to blame for the spread of WannaCry. Certainly, organizations that can keep their software updated should do so. But many businesses can’t or choose not to for cost reasons. As ZDNet notes, “real-world organisations operate in the real world. Overworked systems administrators work within limited budgets. In many organisations, sad but true, the need for constant availability trumps security.”
In addition to ensuring applications and operating systems are patched with the latest security updates, CERT says organizations should “be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.”
Users should also avoid providing personal information or information about their organization, including its structure or networks, CERT says, unless they are certain of a person's authority to have the information. Similarly, users should “avoid revealing personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.”
Users should also install and maintain anti-virus software, firewalls and email filters to reduce the likelihood of malicious traffic reaching their inboxes, CERT notes.
A key element of any defense against ransomware is having backups of data. Users should have at least three physical copies of their data, in addition to their primary backup; store the copies in two different formats; and have one backup copy offsite. Usually that offsite copy is stored in the cloud.
If companies back up their data to the cloud, they should have that system back up data regularly. Some services, like Carbonite, do that automatically. If users are hit with an attack, the data can be restored easily.