We’ve been following the latest on the WannaCry ransomware attack that we first told you about over the weekend.

A feared “second strike” did not materialize today, but victimized firms in over 100 countries are still struggling to recover.

So, what’s next?

If you needed to build the business case for increasing the budget for updates/upgrades and your IT programs, this should provide you with the jump start.    If your IT support and maintenance is outsourced, you should be asking questions.   Now.

  • What versions of operating systems and software are you running?  Obsolete versions of Microsoft Windows are particularly vulnerable, not only to this exploit, but to new variants. There may be very specific circumstances that require you to use versions that are no longer supported (including the cost of upgrade), but now is the time to revisit the topic with the Board of Directors if necessary.
  • Is your company’s patching program up-to-date?   At the very least, have you updated this weekend?  You should make sure that both your personal and business machines running Windows are updated with patches issued by Microsoft.    If you can’t patch directly, follow TrendMicro’s suggestion to use a virtual patch.  If you can’t patch; segregate machines with outdated operating systems.
  • What is your backup and recovery plan?   Do you have one?   If you have a well-thought out data backup and recovery plan, then you may be able to ride out a ransomware attack by restoring your data from clean backups.  Management should be asking if there is a plan to assure that all important files are backed up in a way that will prevent a ransomware infection from attacking both the primary files and the backups.
  • Are you following US-CERT alerts?  Sign up here.
  • Review your insurance policies.   Ransomware attacks and the after-effects may be covered by a cyberliability policy.   But, the failure to take preventive action could trigger an exclusion.  Also, look at your other policies —  business interruption, crime, kidnap/ransom — to see if you can stack coverage.

Be vigilant.   Encourage vigilance in your workforce.

UPDATE:  Europol chief Rob Wainwright told the BBC, “Companies need to make sure they have updated their systems and ‘patched where they should’ before staff arrives for work on Monday morning.”

By now, you may have heard about the global ransomware attacks affecting organizations throughout the world. Estimates range from between 150,000 to 200,000 groups in nearly 150 countries, and those numbers could be higher.  The ransomware variant, called “Wanna Decryption” or “WannaCry” works like any other ransomware: once it is inadvertently installed, it locks up the organization’s data until ransom is paid. Here are some quick facts about the WannaCry attack and suggestions for avoiding it.

How does ransomware get onto a system generally? 

Ransomware installs on a victim’s computer when a user clicks on a malicious link in a “phishing” email (or an email designed to trick the user into thinking that it is from a known or legitimate source). Ransomware can also be downloaded through infected file attachments or visiting a website that is malicious in nature. WannaCry appears to be delivered through links in phishing emails. You can read more about ransomware generally here, here and here.   See graphic of malicious file message.

How does WannaCry work? WannaCry affects systems that are behind in their Windows patching. There is actually a patch for the vulnerability exploited by WannaCry (see, US-CERT article on Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010).   See the following links for additional technical information:

Is any system particularly vulnerable? 

Because Windows Server 2003 or older, and Windows XP or older on the desktop, have been discontinued by Microsoft and are unsupported, these systems are particularly vulnerable. In response, Microsoft has taken the highly unusual step of releasing emergency security patches to defend against the malware for these unsupported versions of Windows, such as XP and Server 2003. Everyone should be actively checking systems and updating.   This may be the first time that Microsoft has ever issued patches for decommissioned software.

What are immediate steps for an organization that is attacked?

An organization that is attacked should immediately isolate the affected systems and networks to avoid the spread of the malware and contact law enforcement.

How can a WannaCry victim regain access to data? 

Once WannaCry or other ransomware installs and locks up a victim’s data, the only alternatives are: 1) restore data from clean backup systems; or 2) pay the ransom.

How can WannaCry and other types of ransomware be avoided?

  • A comprehensive and continually updated security risk assessment
  • A security risk assessment that doesn’t address ransomware is out of date
  • Workforce training on ransomware – make sure that the workforce understands the importance of avoiding suspicious email messages, links and attachments
  • Workforce testing on ransomware – send suspect phishing emails and see how many click on the suspicious links.
  • Maintain comprehensive data backup systems – make sure that they are easily accessible in the event of an emergency (practice accessing them in a non-emergency)!

We will provide further information on the WannaCry attack as it becomes available.