When hacking exploits had been leaked from the NSA last month, it offered a hacking toolkit to anyone in the world who wished to try to use them. The companies responsible for the effected programs, such as Microsoft, had immediately scrambled to update – or had, in fact, already provided updates – to defend against these exploits at the time of this leak, swiftly providing protection to neutralize the risk.
The gap in this updated protection, however, is whether a user actually receives the software update.
With some systems, it is hard to miss an update. In fact, your operating system might force you to accept it by giving a countdown leading up to a forced restart, a circumstance that often leaves users frustrated over a work interruption or if they were in the midst of streaming the most recent episode of a favorite TV series! However, not all versions or systems have this mandatory update, nor do all companies have a method in place to ensure all of their computers or computer-operated machinery are updated regularly. Some assume it will happen on its own or simply do not realize the looming threat, as the weaknesses and problems are otherwise invisible, until a hacker takes advantage of them.
System updates are not simply a flu shot to protect against a possible pathogen. These are repairs to holes in your fence, or even to your foundations, before it is invaded, robbed, held ransom, or simply crumbled to dust.
Wanna Cry? What is this threat?!
Wanna Cry, also called WanaCrypt0r or similar name schemes, is a new ransomware that began attacking systems last week on Friday, May 12th 2017. It invades your computer using the EternalBlue exploit developed by the NSA, one of the exploits that was leaked to the public by hackers on April 14, 2017. It infects your Windows system through any number of vectors as malware, and spreads quickly through networked machines, such as those on a local business network or even hospitals.
First it encrypts your computer files so that they cannot be accessed, then spreads itself to your network while demanding payment from the user to unlock the files – hence the name ransomware. In addition, it leaves a backdoor installed called DoublePulsar, which came from the same leaked hacker toolkit: this allows the hacker to easily access your machine and files even after the files are unlocked again.
How will I know if I am infected?
It will be very clear: you won’t be able to use your computer. Your screen will instead inform you that your files have been encrypted and demand ransom payment in bitcoin to unlock it, with a countdown warning of impending deletion.
Am I at risk?
If you have not patched your supported Microsoft systems since mid-March 2017, or your unsupported systems (xP, Windows 8, Server 2003) since the past few days, then it is possible that you are at risk from this particular exploit.
If you have not done so, please update your Microsoft systems!
Is this a new threat?
This is not the first time this malware tool set has been used in this way, it is simply the most wide-spread event. There have been reports since the April leak itself of systems being infected with such tools, since they have become available to anyone with criminal intent.
The fix for this has been available since before the hacking exploit was made public, at least on supported Windows machines. Though it has been over 2 months since that Microsoft patch on March 14th, many organizations have still not applied that patch, or are using older, unsupported versions of Microsoft products such as Windows XP, Windows 8, or Windows Server 2003.
Unfortunately, many systems worldwide were still using those older, unsupported products and were still vulnerable. Europe itself seems to be the most heavily hit; notably, the United Kingdom’s National Health Service still ran Windows XP on many of its systems and machines, including MRI scanners and blood-storage refrigerators. This is not the first time a health system has been hit by ransomware: it happened in February of 2016 to Los Angeles hospital Hollywood Presbyterian Medical Center, as well. Other groups that were infected include airlines and FedEx in Spain, among many other systems that used vulnerable, unpatched systems.
While there is no reported use of the private data gleaned from the infected machines, so far, the fact that the data was accessed and that a backdoor is also installed on these computers leaves that as a loose end.
What can I do?
Update your systems! The best course of action to protect yourself or your business is to ensure all of your computer systems are up to date: if the package of protection updates is never picked up, then your system can remain vulnerable to all of the things that the updates would fix!
Backup your systems and files! In the event that something does happen to your files, having a backup saved can allow you to wipe the current systems and restore them, preventing a loss of files and data.
There are other options as well, including isolating critical systems or machinery from having network connections and generally practicing good cyber-security. Having an active cyber-security team for your business can be critical to prevent catastrophic losses of system data, but if you do not, Tiro Security offers security assessments at a reasonable price, in which we will look at your policies, procedures, and security implementation to see if you have any gaps in your de-fence (excuse the pun)!