WannaCry Ransomware – What just happened?

The WannaCry Ransomware worm has sparked a worldwide frenzy that has trickled into corporate America.  This ransomware is derived from the WannaCrypt computer worm that has been targeting Microsoft Windows based computers worldwide.  This worm specifically targets an old protocol within the Windows operating system called Server Message Block (SMB).  This protocol is used for computer to computer communications for printer and file sharing.  Once infected, the malware worm then checks the “kill switch” domain that was hard-coded into the malware file to see if it is active.  If the domain was not registered then the worm continues spreading indefinitely.  A 22 year old researcher that blogs under the name MalwareTech accidentally discovered that by registering the domain name they found hidden within the malware code, it can enable the “kill switch” for the worm to stop spreading.

The exploit EternalBlue that the worm is using to spread is believed to have been developed by the National Security Agency (NSA).  A hacker group by the name of Shadow Brokers leaked the alleged NSA exploit on April 14th, 2017.  As a result, Microsoft released patches in March to fix the vulnerability uncovered by the Shadow Brokers leak.  It wasn’t until May 12th, 2017 that the exploit was used to launch a worldwide attack which is where we are today.  The events leading up to now have included the initial infection at computer zero 5 days ago at the NHS based in the UK.  This was followed by the “kill switch” domain being registered which only temporarily stopped the spread on the same day.  Now there are numerous variants and copycats being created from the original WannaCrypt worm files.  The WannaCry ransomware has become one of the fastest spreading ransomware in history hitting 200,000 computers in 150 countries by the end of the day Sunday, just 3 short days later after the initial launch.

A Brief History of Ransomware

Cybersecurity has exploded over the course of the past couple of years.  This explosion is directly attributed to ransomware viruses that’s extorting money out of businesses.  Ransomware is nothing new as its roots traces back to 1989 with the AIDS Trojan Horse virus which wasn’t very effective due to its simplicity.  Fast forward to September 5th, 2013, Cryptolocker took residential home PC’s by storm encrypting important family photos, videos, and documents for a small $100-250 fee to get them back.  Cryptolocker also crept into small business offices usually spreading from the victims home PC either via emails or USB thumb drives.  In total, Cryptolocker extorted approximately $27 million worldwide before the U.S. Department of Justice intervened with Operation Tovar in raids for the groups responsible.  This lead to a domino effect once the world saw how profitable ransomware really is with hundreds of new variants between 2013 and 2017.  Now some businesses are fighting for their very existence after an infection takes place.  It’s difficult to explain how disruptive it really is without it happening to you.  The best I can explain it is to think of it as a burglar breaking into your home, taking all your important documents, photos, home videos, and personal belongings hostage until you pay them a ransom fee.  Those that have endured burglaries know that the after effects feels like you have been violated and have no privacy.  The same goes for businesses that have been impacted because how do you know if the attackers are still in the network or not? They could be watching, waiting, for the next opportunity to strike again.

What does this mean for my business?

If you do not have a Windows patch management plan in place for your network then this should be a wake up call to implement one.  Going around to each PC whenever you remember to run updates just doesn’t cut it anymore.  The amount of vulnerabilities and patches coming out are accelerating at a steady rate.  Relying on the users to do it on their own is not feasible either because they will keep brushing them off as they are always busy.  On-Site Technology’s patch management service automates the scheduling and install of the patches during off peak times when the user is not using the computer.  If you can automate something that would help against disrupting your business(or worse) for just a few dollars a day, then why aren’t you taking advantage of it?

We also cannot stress enough how important it has been to replace aging computers with unsupported operating systems.  The WannaCry ransomware exploited the SMB v1 protocol that’s widely used in Windows XP and Windows Server 2003.  Both of these operating systems had a good long run before Microsoft retired their support back in 2014.  Microsoft realized over the weekend how fast this worm was spreading and went back on their stance to release patches for both operating systems including Windows 8 (Succeeded by Windows 8.1).  This patch fixes just one vulnerability, these aging operating systems have hundreds of them without a patch and we will never see one.  It’s just a matter of time before someone finds another vulnerability to exploit.

Finally, as a last resort, online backups with revision history should be used for all critical data.  Think about all the data on your network, servers, and user machines.  If you were to completely lose the data on any of those machines, how much trouble would your business be in? If the thought of particular data on your network being lost is worrisome and can affect your business operations then you need online backup.  Dedicated backup servers and external backup hard drives are usually defenseless with ransomware since it tends to spread to whatever is connected to your computer.  While there are defense measures to put into place to make it harder for ransomware to spread to in-network backups, it is never guaranteed.

Why are hackers doing this?

When it comes to ransomware, there’s usually only one thing they want, MONEY!  They don’t care if they make your business come to a screeching halt because they encrypted your financial software so you can’t do billing or encrypted your employee’s database in HR so you cant send out payroll.  They also don’t care about the ramifications of leaking your(or your customers) data on the internet.  One thing is for certain though, just like telemarketing calls and junk mail, it is effective.  The amount of money they extort obviously far outweighs the risks of being caught or else they would not be doing it. There is one last reason why someone would want to inflict this much damage and for that I will quote Michael Caine: “…some men aren’t looking for anything logical, like money.  They can’t be bought, bullied, reasoned, or negotiated with.  Some men just want to watch the world burn.”

What else can I do to protect my business?

We have been advocating for multiple layers of protection as best practices.  If history has taught us anything, if a hacker or a team of hackers really want to get in, they will be relentless until they find a way in.  As a result, we deploy multiple layers of protection starting with a good commercial grade firewall with advanced filtering capabilities.  Security patching & frequent maintenance is paramount to stay up to date on vulnerabilities. Next is endpoint protection including anti-virus and advanced web filtering services for each of the servers, desktops, and laptops.  Next at bare minimum you should be using an Advanced Threat Intelligence Service to automate analyzing your firewall and Active Directory server logs.  This type of protection utilizes Security Information & Event Management (SIEM) software to correlate network and user authentication traffic within your network to alert when someone is doing something they have no business doing in the first place.  Two-factor authentication (2FA or MFA) has become paramount with today’s security when a single password just doesn’t cut it anymore.  Banks and financial institutions started using 2FA years ago but now its becoming standardized across all industries.  It is even highly recommended to turn on 2FA on your personal and business social networking profiles.  Whenever you hear that someones Facebook, Twitter, Instagram, Snapchat, Linkedin, or Google+ was hacked, it’s usually because 2FA is not turned on.

We also highly recommend putting an Incident Response Plan in place for your business.  A step by step procedure that employee’s, managers, and executives to follow once a cyberattack is underway.  Who should you call first? Does everyone have the direct contact information for the IT team?  What if it’s after hours? Who’s the on-call person for after hours and weekends?

Anything else we can do such as insurance or legal obligations?

You can guarantee that business general liability insurance does not cover data breaches or hacks.  You should speak to your insurance company or broker about data breach coverage.  Every agency and coverage is different, so make sure you ask all the right questions.  Does the policy include the cost of data recovery? Does the coverage include the cost of forensics? What about covering the cost to giving your customers or employees affected by the breach 1 year worth of credit monitoring? If a line of business (LOB) software vendor contract lapse, are we still covered for the data in that software?  There are a lot of constituents when it comes to this type of coverage, make sure you go in-depth with your agent to explain whats covered and what isn’t.

In the state of NJ, you are required by LAW to report any data breaches to the New Jersey State Police within 60 days of knowing about the breach.   New Jersey also requires as part of the NJ Identity Theft Prevention Act that you must publicly notify all those involved with your data breach if it affects any of your customers information.  The same goes for data breaches for your employee’s.  This includes but not limited to: Social security numbers, date of birth, drivers license numbers, credit card numbers, ACH bank account information, names and addresses, email address and passwords.  Please check your local laws for other states.

On the flip side, if you are a business owner and have become victim to a data breach.  There is an attorney-client privilege if you engage with your attorney immediately after the attack.  This limits exposure from your business if you had any security assessments, scans, or documentation that exposed vulnerabilities within your organization that was not fixed prior to the breach.  Essentially, without the attorney-client privilege even your own employee’s can sue you and use that information against you in a lawsuit for negligence if their personal information was compromised.  If you do engage with an attorney and disclose this information to them, then you are legally obligated not to share this information with your customers or employee’s while the investigation is going on.  Again please consult your legal team for more clarification and local laws as each state and county can be different.

[/polar_column_text][polar_cta heading=”Contact us today to get a security assessment!” sub_heading=”Call us at 973-429-7303 today or fill out the form below for more information.” css=”.vc_custom_1495122992707{background-color: #4179fc !important;}” heading_color=”#ffffff” subheading_color=”#f7f7f7″ heading_fontsize=”24″ subheading_fontsize=”14″]