Latest Threat – Executive Synopsis
What you need to know and what your IT folks probably already do
The ransomware, variously called Wannacy, Wcry, and Wanna, is a self-replicating virus designed to invade systems, encrypt their files, and then demand a payment to unlock everything, usually in Bitcoin, which is allegedly untraceable. Unlike recent hacks in the news, you don’t have to do anything to set it off. Once Wcry invades a computer, it will take control and spread the payload to any machine it can breach. Furthermore, it was clearly designed to go worldwide, as the ransom demands are written in multiple languages, and so far, 74 countries have been reported it in various systems.
For you nerds who just need to know under the hood how the exploit works – Microsoft’s Technical Blog describes the entire deploy for your IT team to not only understand the current attack – but how to defend against it (and similar attacks).
For the rest of you though – turn off your computer and call IT right ASAP.
Your system may be untouched – but here are some preventative measures to protect your systems.
Patch your systems at least monthly (It’s not asking too much here)
Wanna Crypt uses Firewall port 445 – so locking that down should help
Have multiple backup types (Server level, NAS System, Cloud based)
Create a HoneyPot to send alarms when attacked
Know your Insurance policy for issues beforehand
If you’ve been infected?
- Physically unplug (if possible) an infected computer from the network.
- If a second system becomes infected – turn off your network switch.
- Get I.T. ….. NOW, to review your backups and possibly take them off the network while the breach is happening
- Kaspersky Ransomeware Prevention and Unlocker
- MalwareTech – Ransomeware attack worldwide map
High Level bullet point
- Microsoft came out with a patch to prevent this exploit 2 months ago. And extra good news for XP and Server 2003 users – Microsoft released a patch for your ‘out of service’ systems as well (Nice Guys)
- Even patched systems can be infected if someone clicks on a link that installs the exploit
- Although being spread quickly – this is “NOT” an unusually nasty attack
- These type of attacks often attack backup systems as well
- Usually within a few days to weeks – methods to decrypt files have been created (not 100%)
This has been a pretty heavy article – so here’s some good news.
A cyber security agent noticed that there was a strange URL in the code – which appeared that it would turn off the malware if the site was live.
MalwareTech (mentioned above) bought the domain and sink-holed the malware – saving potentially tens of thousands of infections – good on ya MalwareTech!!!