This nasty, new strain of ransomware showed no prejudice on who it targeted. Whether it be your family members trying to search their ‘My Picture’ folders for the family picnic, the average PC user just trying browse the web to kill time, students searching for their dissertation or the hospitals in the UK that depended on their systems to check patients into the ER and schedule surgeries, the global effect of this malware was nonetheless gut wrenching.
These attacks we just witnessed were created on top of ‘hacking tools’ containing exploits of the Microsoft vulnerability flaws that the NSA was believed to have in its possession, and was publicly leaked by a group called Shadow Brokers. The tool used for the WannaCry attack in particular was named Eternal Blue. As soon as Microsoft got word that these tools existed, it started to release patches.
So why were people still getting attacked? Doesn’t everyone religiously run their Windows Updates?
Many IT security professionals worked throughout the weekend nonstop, trying to tackle the question of, “What just happened?!”… There was a moment of hope where a security researcher hit the kill switch on WannaCry by registering a domain that the ransomware was pointing to. However, the hackers only revised the code and went at it again. There is no projected time frame of when it will stop. Microsoft engineers have been kind enough to provide critical updates to out-of-support operating systems such as Windows XP and Server 2003 just to try and mitigate the damage.
In the realm of IT, we have all heard of or even witnessed end users fall prey to the ransomware woes. Unlike most common malware or viruses that can be easily eradicated after the fact, once this malware enters your system, everything is on lockdown. Instead of your desktop background picture of your dog or favorite cartoon character, a ransom note demanding roughly $300 worth of Bitcoin be handed over to ever see your files again appears. You exit out. You reboot. You start your PC in Safe Mode. You take out your drive and dock it to another PC. Whatever you do, it’s all futile. Your files have just been encrypted. You have less than a week to pay the ransom to get the key to decrypt your files. It’s Game Over!
Do I really have to pay? Will I ever see my files again? Was there anything I could have done to prevent this?
Answers: No, Hopefully, and Most Definitely Yes!
First, paying a ransom is never guaranteed. You could get the key to decrypt your files from the attacker, or you could just end up $300 lighter and still stuck in the same situation.
How did it start to spread? Well, we all have that friend or family member who has gotten an email from Microsoft with a link to start a virus scan, or an email from someone they know, only the email preview looks odd, or someone who gets click happy and opens an attachment from any email immediately after it arrives in their inbox. Being cautious of all the above, is the first step to avoid being victims.
Staying Up to Date
Microsoft Windows operating systems get replaced by newer versions: Windows 98 to XP to Vista to Windows 7 to Windows 8 to Windows 8.1, etc. This is a known fact. We are only human and can easily become hesitant to change. “If it works, why change it?” is a common mentality. However, by the same token, Microsoft and other developers cannot afford the time or cost of supporting operating systems years and years after they have met their end of life and deemed retired. This is where it gets complicated.
Some companies feel that they cannot afford to migrate from Windows XP to Windows 7 or from Windows Server 2003 to Windows Server 2008 due to fear that their applications and databases will not function correctly after migration. It would cost them a lot of money in licenses, developers and headaches of getting everything compatible and working, not to mention the planning and downtime to complete such projects.
This is where the risk must be evaluated: asking, “Do we take the downtime and costs associated to upgrade or just use what we have on hand as it’s been working fine for 10 years” while also taking into consideration the risk of becoming a victim of an attack like WannaCry. How would you have recovered into a state that would prevent the reinfection?
Every month, Microsoft releases a round of updates for Windows operating systems that include not only feature improvements, but also security updates. We have all been guilty at one point or another of dismissing the popup that states updates are ready to be downloaded and installed. Even small and medium sized businesses that have their servers hosted in the cloud in datacenters might not have their systems fully redundant or in a highly availability state. This may make them want to postpone the monthly Windows patch night as well. They simply cannot afford the downtime or planning to let their servers reboot. On the other hand, how can they afford not to be up and operational longer than a reboot when their files are hijacked?
Simply keeping your operating system and antivirus software up to date is the second line of defense.
What’s Your Backup Plan?
Unlike ransomware in the past, this WannaCry ransomware variant not only infected users who did not heed best practices and opened that fishy looking email, it immediately spread across their network attacking all other devices attached – be it your family member’s laptop in the living room or your co-worker’s PC on the second floor.
Backups … Backups … Backups … My favorite saying on backups is that “you are only as good as your last backup”. There are both free and paid backup software solutions out there that will allow you to take true system image backups of your PC and store them on an external drive disconnected from your PC or onto a storage array that is segregated from your live data (in case of servers). Even free and subscription-based cloud solutions such as Microsoft’s OneDrive are options for file and folder-level recovery.
There is a caveat on the server side of things, though, and that is that there are servers whose backups could take up terabytes of storage. Moving data from a backup appliance to your server is not always quick. It’s limited by the pipe of the connection between the server and the backup storage array. Instead of minutes or hours for home users, it could take much longer, but knowing that your backups are solid and good should give you peace of mind. On the other hand, coming to the realization that all your data is unrecoverable could be a nightmare.
What we all should have taken away during this past week of the WannaCry outbreak is that simple and preventative measures are not that bad. Run those Windows Updates that are queued up. Update your antivirus definitions. Be aware of what emails you open and what links you click on. Use a supported version of Windows. These simple tasks could have circumvented the numbers of affected users drastically.