Reports on cyber security risks are in the news nearly every day, and there are no signs of attacks slowing down. In recent years, it has become commonplace to see news headlines related to security breaches at large retail chains (e.g., Target, Home Depot) or waves of ransomware attacks that have crippled businesses and users, as is the case with this latest ransomware attack known as WannaCry. The sheer volume of cyber security information published, and the jargon that comes along with it, can be difficult to understand in a way that allows you to easily identify if a legitimate threat to your organization exists.
It’s important for organizations to proactively educate and prepare themselves rather than reactively panic. As a Gold Certified Partner in the Microsoft Partner Program, Sikich works with clients every day on IT strategy, technology questions and security concerns. We’ve fielded many questions regarding WannaCry and we understand that the attack is currently top of mind for many of our clients. In the hope that it can help other organizations better understand the situation, we’ve put together a list of answers to the most frequently asked questions (FAQs) we’ve received regarding the WannaCry ransomware attack.
What makes this attack so unique?
WannaCry is a variation of ransomware. Ransomware is malicious software that blocks access to your data until a ransom is paid. Once the attackers are paid, they may or may not provide the means to unlock your data and access it again.
In the past, this type of attack was typically initiated through the user clicking on a malicious ad or link. What is unique about WannaCry is that the group responsible weaponized ransomware in a way that had not been seen before – they put the malicious software into a worm. The worm has been quickly crawling the Internet looking for vulnerable devices. This indicates that the ransomware attack has evolved to involve not just the user, but also how the computer is administered and maintained.
What do businesses need to know about WannaCry?
If you have legacy devices (e.g., old versions of Windows) on your network, this event should serve as a reminder to pay close attention implementing device patches and updates. This is especially true for larger organizations that may not refresh their technology often. We strongly encourage you to do an audit of your systems and make sure you have removed or replaced devices that are no longer supported by the vendor (e.g., Windows XP).
Another aspect to consider examining is how your vendors interact with your environment. If you have a vendor on your network that controls elements like air conditioning, security cameras or the like, they can be the foot in the door that an attacker needs to spread malware in your environment.
Who is the most vulnerable?
The spread of the WannaCry ransomware to more than a hundred countries and hundreds of thousands of computers has everyone wondering what the common thread is among the victims. Vulnerability to this attack largely centers on patching practices. Therefore, organizations with IT staff that are overworked or that don’t have control over every single device on the network tend to be the most vulnerable, as these environments are more prone to errors or oversights involving the timely implementation of the critical patches necessary to prevent such an attack.
What is the best thing to do to protect our organization?
Reassess the amount of time, effort and budget invested in security, whether it’s handled internally or outsourced. At the very least, your organization should focus on tightening up its practices around the basic core areas of patching, password policies and anti-virus.
This is likely just the first of many attacks we are going to see in the near future that will be similar to WannaCry. The original attackers (or a group of copy cats) will modify or refine this initial version and launch another wave of attacks. It is imperative that organizations do everything they can to avoid “going numb” to all of the security risk-related news they hear in the coming weeks, and remain vigilant in safeguarding their environments.
What else can I do to protect my systems?
In addition to installing critical patches in a timely manner, there are a few other ways you can help protect your organization. To make sure you are able to react and recover in the case of an attack, talk to your IT staff about your backup processes. Since not all systems may be backed up on a daily basis, it’s important to understand and assess how often backups occur. Are you prepared to live with losing a week of productivity?
It is also important to test performing a restore from a backup. While your backup program might indicate that your data was successfully backed up, we’ve seen customers have serious problems when it came time to try restoring their data when it mattered most.
What should someone do if their computer is infected? Should they pay the money?
The WannaCry ransomware asked for a payment of $300 USD. It is possible this limit was selected with the mindset that companies would just pay, given the relatively low amount.
For those organizations or individuals that choose to pay the ransom, there are no guarantees (or honor among thieves). If you pay and wait for the key to unlock your data, you could be paralyzed for an undetermined period. This is especially prevalent with WannaCry, as the way in which it was coded has the attackers using a manual process to determine who paid the ransom.
We recommend talking to law enforcement to help make an informed decision. We’d also like to hear from victims. While there is currently no publicly-available key to unlock WannaCry, security researchers are working everyday to crack this code.
Want to learn more about the current state of security? Join Sikich on Thursdays in June for our webinar mini-series, Security Executive Briefing: What You Need to Know to Protect Your Organization in 2017 and Beyond. Get more information and register here.
As of May 19, 2017, Security researchers have found a way to decrypt WannaCry, but only on Windows XP computers. If you have an XP machine that has been infected, please contact us if you would like more information on how to possibly recover your files.
Disclaimer: This material has been prepared for general informational purposes only and is not intended to be relied upon as professional advice and is presented without any representation or warranty as to the accuracy or completeness of the information. Please refer to your advisors for specific advice.