Last year, a number of UK hospitals were struck by hackers using an new kind of attack on data security. Computers were taken over and the data was encrypted. This was followed by a demand to pay a ransom via an untraceable crypto-currency like ‘bitcoin’ to get the data back. Unfortunately, the attack didn’t end there but spread rapidly, estimated to have affected over 200,000 computers in 150 countries from telecoms in Spain to the Interior Ministry in Russia. Known widely as ‘WannaCry’, ‘WanaCryptor’, and ‘WannaCrypt’, this was a ‘worm’ – a program that replicates itself in order to spread to other computers. Of course, when dealing with hackers, there was no guarantee that they would actually free the encrypted data even when a ransom was paid.

What do you need to know about this ransomware attack and what can we learn from it?

Where did it come from?

WannaCry was built around taking advantage of a vulnerability in Microsoft operating systems known as ‘EternalBlue’. It was reported that this weakness was discovered by the NSA and developed as a ‘cyber-weapon’, only to be discovered and leaked by a group of hackers known as the Shadow Brokers.

How did it spread?

Unlike other types of attack we’ve covered, where a computer is infected through an email that tempts the user to click on a link, WannaCry did not rely on human error. The EternalBlue exploit works over the internet without needing to fool the user into taking any kind of action. Additionally, the worm also spreads through smaller networks so it can still affect a local network even if it can’t replicate via the internet.

How was it stopped?

A ‘killswitch’ was discovered within the code of the malware. Before WannaCry spreads, it checks to see if it can connect to a specific domain. If the domain is valid, it proceeds no further. If it fails to connect then it spreads, infecting machines and demanding ransoms.

To make use of this ‘killswitch,’ a computer security researcher in UK registered the domain that the WannaCry programming was checking for, and then routed traffic to it to a ‘sinkhole server’, which basically trapped the worm. Although this was no help to already infected machines, it did stop the worm spreading further via the internet.

Who was vulnerable?

Microsoft quickly released security patches for the affected operating systems to prevent that version of WannaCry from infecting patched computers.

However, not all users automatically download and install all patches and software updates, and may have remained vulnerable to WannaCry. Additionally, those still running outdated operating systems that Microsoft no longer routinely provides support, updates and patches for also remained at higher risk of falling victim to this attack. Microsoft did, however, release special patch for older systems Windows XP, Windows 8, and Windows Server 2003. In customer guidance following the attack, Microsoft recommended automatically updating as a security measure.

How did those affected recover?

The short answer is, unfortunately, with difficulty and at great expense.

WannaCry became the biggest ransomware attack in history because of a number of circumstances. The actions of the NSA, the subsequent leak and the availability of bitcoin as an anonymous means of paying ransoms are likely to be outside of your control.

However, one of the factors was organisations using outdated software that was no longer fully supported. It can be time consuming to update your operating system and train staff in the new version. However, it is worth bearing in mind, in terms of guarding your data security, that large teams of people in the industry are constantly working on identifying and developing fixes for security threats to more recent versions of their products.

The situation and the risks involved are obviously complex and it can be very useful to have experts in your corner. We have the tools to protect you and your business against ransomware. Contact MSP Blueshift today.