A new computer virus called WannaCry (aka WannaCrypt) has been making international headlines and doing real damage since its release on Friday, May 12, 2017. WannaCry is a type of malware known as “ransomware” that encrypts your data and holds it for ransom; paying the ransom often still results in permanent data loss.
Here’s what you need to know about WannaCry…
Are we safe?
No one is ever totally safe…the key is to have knowledgeable IT resources that you can count on at times like these. If you have downloaded the latest security patches and loaded them on your servers and desktop operating systems that is a good start, but have you reminded all your staff that opening attachments or clicking links in emails that look suspicious or are from unknown sources is a bad idea? Do you have someone remotely monitoring your network for issues and attacks?
Why is this worse than other Ransomware?
Previous ransomware like CryptoLocker and CryptoWall infected one machine at a time. WannaCry exploits a Windows bug developed by the NSA to automatically infect other computers on the same network.
How does WannaCry spread?
The number one takeaway: Never click links or open attachments from unsolicited email messages. Like most malware, WannaCry initially comes from clicking a link or opening an attachment in an unsolicited email message. WannaCry spam messages include fake job offers, fake invoices, fake tax rebates, and dozens of other common phishing lures. After infecting one computer on a network it exploits a known bug in Windows computers to spread to other computers across the network.
The most important elements of this outbreak to understand that are getting lost in the general news coverage is that WannaCry has two stages:
Stage 1 – Initial Infection – this is how you get a “patient zero” on a network. This is the same as most other ransomware—a user clicks a bad link/attachment in an email. WannaCry encrypts local data and any available shared folders.
Stage 2 – Contagion – this is where the NSA/Microsoft bug comes into play. Unpatched computers can be infected with their own running copies of WannaCry, start their own encryption badness, and then spread again.
The patching of servers and desktops doesn’t help with Stage 1. You can still get infected just as bad as CryptoWall or CryptoLocker. That said, Stage 2 is undoubtedly much, much worse. The British healthcare agencies that are in deep trouble this week got hit so hard because they got to Stage 2.
We can’t force users to make good choices, we can only educate them…but, we can do something to help businesses avoid getting a Stage 2 outbreak.
How is BTP protecting clients?
So far, none of our clients have been affected by the WannaCry virus. While there are no “silver-bullet” solutions, BTP takes a multi-layered approach to security including firewalls, antivirus software, and DNS filtering. These protect against the current “main branch” version(s) of WannaCry.
Since Friday, BTP has done the following:
- Follow the security trade press as the story unfolds and ensure we are using best practices for protection.
- Utilize our own test environment to determine if WannaCry is stopped by our existing security measures—it is!!!
- Verify that all our servers and our clients’ servers have the correct patches in place to help prevent widespread infection.
The bug exploited by WannaCry to infect other computers was weaponized by the NSA and publicized in April. Bugs like these are becoming more commonly exploited and the destructive power of such ransomware attacks has increased. BTP previously took a soft approach to patching, erring on the side of caution by not forcing patches if a user was logged into their computer. Going forward, and following Microsoft’s lead with Windows 10, BTP will roll out a more aggressive patch schedule, forcing updates and prompting users to restart. Of course, our clients are contacted and fully briefed before we deploy any changes to our policies or to their networks.
BTP will continue to monitor the situation and we’ll be providing our clients ongoing guidance and alerting them to any direct actions that need to be taken. Please feel free to reach out to us if you have any concerns about your network and IT systems by emailing firstname.lastname@example.org or calling 646-442-4700.