If you have read or listened to the news the last couple of weeks, or read my blog at mjshoer.com, you know there was a massive ransomware outbreak May 12. This has been widely reported as the WannaCry outbreak, this being the name of the ransomware that spread around the world, hitting companies in 150 countries, impacting hundreds of thousands of computers.
This was described as possibly being a cyber weapon of mass destruction, due to the speed and scope of the attack.
First and foremost, understand what ransomware is. It is a form of malware, malicious software hackers install on your computer to carry out a larger task. In the case of ransomware, this larger task is to encrypt all the data your computer has access to. Encrypted data is unreadable unless you have the decryption code. Encrypted files appear as an ongoing string of random characters, scrambled to protect the data it has encrypted. Without the corresponding decryption key, the data is useless. Ransomware holds your data hostage by encrypting it and withholding the decryption key until you pay a ransom to the hacker, commonly paid using the virtual and untraceable currency Bitcoin. This makes it extremely difficult, if not impossible, to track the attack to its source.
The WannaCry outbreak was unique for several reasons. Perhaps of most concern, it appears to have been based on a top secret hacking tool developed by the National Security Agency to spy on adversaries of the United States. The code for this tool was supposedly stolen by a hacking group and posted online, allowing hackers all over the world to see how the tool was designed and how it works. A phishing email was then crafted, targeting users of computers with a specific known vulnerability that had been discovered in March of this year. By scanning the Internet for computers with the vulnerability left unrepaired, the hackers had a rich set of targets.
Users were tricked into opening an attachment or clicking a link, which downloaded the malware onto their computer and began encrypting their data. Another unique element of this attack was that it also acted as a worm, spreading itself from one computer to the next within the same network without any other user needing to do a thing. This contributed to the rapid rate of infection seen that day.
In other words, one person inside a company needed to fall for the phishing email and click the bad attachment or link. Once they did, the hackerâ€™s malware was installed on their computer and installed itself on any other computer with the same vulnerability on the company network.
This is why organizations like England’s National Health Service, FedEx and Spain’s Telefonica saw massive infection that required them to shut down computers in some cases for multiple days until the infection could be purged.
What’s worse is that it was preventable. The flaw this hack took advantage of was fixed March 14, yet nearly two months later, the impact was massive. Interestingly, the impact was worst outside the United States. What this says, which is a good thing, is that in the U.S., most companies regularly update their computers with important updates. This contrasts with the rest of the world, where updating computers is not nearly a high enough priority. This attack proves this.
Ransomware succeeds by tricking a user to open an unsolicited email containing an attachment or link. It amazes me we are still combating this today, as this is a well-known attack vector and perhaps, the easiest to defeat. Education and a little patience is all that is required.
The European Cybercrime Centre has a list of do’s and don’ts related to keeping yourself self:
- Update your software regularly. At the very least, install all critical and security updates. If in doubt, install all available updates to keep your computer’s operating system up to date and safe
- Use Anti-Virus and Anti-Malware software. You should also be sure to keep your computers software firewall enabled at all times.
- Browse and download software only from trusted websites. Avoid sites that offer paid-for software for free, including driver update sites not run by the actual hardware manufacturer.
- If you keep any data on your local computer hard drive, be sure it is regularly backed up, ideally to the Cloud.
- If you become a victim of ransomware, report it to the FBI. This helps it track outbreaks and when the opportunity presents itself, get the bad guys.
- Check www.nomoreransom.org if you get hit. This free site, supported by various law enforcement agencies and private industry, may help you recover from an infection.
- Don’t click on attachments, banners and links without knowing their true origin. What may look like legitimate files, banners or links, may not be what they appear to be. Hovering over the link is one way to check the URL to see if it is legitimate, but it’s far better to manually type in a link to your browser, instead of clicking a link in an email.
- Don’t install mobile apps from unknown sources. If someone sends you a link to a mobile app for your phone or tablet, don’t click it. Go to the app store and search for the app there to check its legitimacy and install it. And don’t install or run unknown software.
- Don’t take anything for granted. Verify everything. Confirm with senders they meant to send you any attachment or link. Verify SSL connections by checking the padlock icon to be sure it’s issued to the site you are on. When in doubt, make a phone call before you act.
- Have you installed software to get free TV or movies? Think twice. It may be stealing data from your computer. Kids fall victim to this far too easily.
- Don’t pay out any money. This just encourages more hacks and does not guarantee you will get your data back. One of the positives from this latest outbreak was that not much was actually paid out, considering how large the impact was.
I hope this information helps clarify what happened, why and how. More importantly, I hope these do’s and don’ts will help keep you safe from any future outbreaks.
The following image shows a screen shot of the Norse attack map. This map shows real time intelligence on active cyberattacks taking place around the world.