Recently we started compiling a list of steps people could take to stay safe online and away from malware and all its children. It was simple, straight forward, easy to understand and quite honestly, filler for a slow news week.
Then WannaCry (or Wcry or Wanna or WannaCrypt) happened. It was like somebody went and broke the sixth seal. Human sacrifices were planned. Dogs and cats started talking about shared living space. In general it created mass hysteria of near biblical proportions in the InfoSec World and provided us with a perfect opportunity to use a Ghostbusters reference.
Our article went from being filler to being relevant really, really quickly and what had been a simple list has turning into a multi-part article about the dangers of Ransomware. WannaCry has reminded us that no matter how secure we feel there’s always something more that can be done to protect our digital livelihood and there are ways to mitigate damages going forward if you’ve been affected by ransomware.
WannaCry has also raised some questions regarding the moral obligation to disclose threats once they’re found and who’s culpable for the release of the leaked exploits that get mutated and turned into threats. We’ll get to that a bit later this week when Parts 2 and 3 of this article get published. Until then, let’s start with what WannaCry is, what it does and how you can protect yourself immediately.
Here’s what we know about WannaCry so far:
WannaCry is a particularly nasty piece of ransomware that has infected at least 75,000 computers and spread out over 74 countries since its initial release. The software uses a weapons-grade exploit developed by the National Security Agency (NSA) called Eternalblue that was leaked online by a dark web consortium calling themselves the Shadow Brokers.
The exploit was combined with a self-replicating payload and the ransomware spreads virally. It does not require end-users to open an email, click on a link or take any other sort of action that can typically further the spread of malicious code.
Once installed, WannaCry encrypts the end-point and holds it ransom for a specific amount of money. In this case the ransom is set between $300 and $600 worth of Bitcoins. Those affected either have to pay up to decrypt the end-point and return functionality or restore the end-point from a backup and possibly lose some valuable data. Users currently infected have until May 19th to pay up, or the ransom increases.
Multiple industries have been affected so far and the infection ONLY affects PC (aka Microsoft) users. WannaCry’s distribution has seemingly plateaued (halted by solutions discovered by security researchers and system patches) but it doesn’t mean it’s gone forever and could come back with a vengeance.
What can you do to protect yourself:
Right now there are only two guaranteed ways to protect yourself immediately from WannaCry. It’s a two-part solution that’s fairly straight forward and very easy to implement; disable Service Message Block Version 1 (SMBv1) - and - patch your operating system with MS17-010 (released by Microsoft in March).
SMBv1 is a legacy application-network protocol for file sharing. It’s old, it’s outdated and it’s been replaced, not once, but twice (SMBv2 and SMBv3). However, because Microsoft is a fan of keeping legacy products implemented, they don’t disable SMBv1 right out of the box, even with SMBv2 or SMBv3 present and enabled in the OS. WannaCry uses a vulnerability in SMBv1 to spread laterally across a network and infect as many machines as it can.
Microsoft has released a How-To guide on disabling SMBv1 and we suggest you take a look. Once it is disabled SMBv1 can not spread from end-point to end-point on your system. Worst case scenario is one end-point gets infected and you have to restore it from a back-up but you’re not looking at a catastrophic event system wide.
After you’ve disabled SMBv1 it’s time to patch the OS with MS17-010. This patch, released in March of 2016 essentially fixes the issue with SMBv1 and will close any doors someone might have used to exploit your system. Microsoft even went back as far as patching the vulnerability in Windows XP and they haven’t supported that OS in YEARS. If they’re digging XP out of mothballs to patch it it’s probably something you can’t ignore.
We understand that it can take time to implement a patch and they’ve been known to wreck havoc on a system if they’re not tested and implemented correctly. Knowing that in advance though you should at least take the time to disable SMBv1 while you can and start implementing MS17-010 as soon as possible.
Taking the time to disable SMBv1 and deploy MS17-010 across your system might seem time consuming but honestly, what’s worse, taking a few moments out of your day to keep your system safe proactively or having to pay multiple ransoms to unlock your end-points.
It’s up to you.