May 15th, 2017
Threat: WannaCry Ransomware
Note to NPC Clients: All NPC users have the required patching to prevent WannaCry infections. This NPC Security Alert is for non-NPC computers.
What's the issue?
By now you have likely seen in the media that a ransomware virus exhibiting significant ability to spread and cause considerable damage has been released. More than 200,000 computers in 150 countries have been victimized, including healthcare and critical service organizations.
Within 24 hours of the release a United Kingdom malware researcher found a flaw in the virus's program code. The researcher registered a website address the malware was programmed to re-direct attacks to if the web site was active, essentially a type of "kill-switch". This had some effect in slowing the spread of the virus. Other researchers have, however, discovered subsequent variants of the malware that were spreading that did not have the flaw. Expectations are that other attackers will continue to improve the code, making remaining vulnerable computer systems continued targets.
How does it work?
Ransomware is a type of malicious software that takes control of a victim's computer and locks out access to the system or surreptitiously encrypts the victim's files with powerful encryption. The perpetrator(s) then demand a ransom to release control of the computer or unencrypt the files. Payment of the ransom does not always work to restore encrypted files.
Beyond the usual attack methodology of phishing emails and toxic links on websites, WannaCry appears to have "computer worm" capabilities, essentially the ability to automatically spread to other computers that are connected to an infected computer. This has caused significant damage to companies that have been attacked as interconnected computers through local area networking are the norm.
WannaCry exploits a vulnerability in numerous versions of Windows operating systems known as EternalBlue to embed itself and execute its attack.
What should I do?
Microsoft released a patch for current operating system versions on March 14.
Over the weekend, ostensibly due to the magnitude of the attack, Microsoft took the unprecedented step of releasing patches for discontinued operating system versions they no longer support, including Microsoft XP and Windows Server 2003.
- Ensure you have a full backup of all your devices, with proper versioning and integrity checking. Use a backup system that is not directly connected to your computer when not backing up.
- If you do not have automatic updates enabled on your computer(s), go to Windows Updates on your computer and request and run available updates.
- Ensure you have a fully patched office suite, web browser and a powerful and up-to-date anti-malware suite.
- Do not open any email attachments you are not expecting, or click on unknown ads or links on websites you are unfamiliar with.
- Do not connect your device to unsecure networks.
- If it appears you have been attacked, contact an IT professional immediately for guidance in recovering your files.
NPC will continue to monitor this attack situation and advise any significant developments.
Avast Blog - Ransomware that infected Telefonica and NHS hospitals is spreading aggressively, with over 50,000 attacks so far, today
For more information:
CNN Tech - Massive cyberattack targeting 99 countries causes sweeping havoc