What Is WannaCry Ransomware?
Ransomware is a type of computer virus that affects a system by making local or network files unusable via a proprietary encryption method only removable by the infector. The prefix of “ransom-” is used as most attackers will disseminate text files on the infected machines or network locations that include information about decrypting the now-unusable files at a cost. Ransomware commonly affects high-use documents such as .docx, .xlsx, .pptx, .exe, et cetera, but can also affect any other file type.
Ransomware can go by many names, including CryptoLocker, Phantom, Crysis, Cerber, and more. Many of these infections files come from insecure links that request user action such as downloading a file or entering log-in information to a seemingly legitimate (but malicious) website, or they can be introduced if a network is open to remote connection or has a poor password policy in place.
The WannaCry ransomware behaves the same way as most other ransomware viruses and has the same ends; to coerce payment in return for decrypted files. However, the WannaCry variation also acts as a “worm,” a type of virus that proliferates across the network to other machines. This means that while there is likely a single point of origin of the virus, other machines on the network can pick up the virus from the initial infected machine and begin to encrypt files, as well.
The WannaCry ransomware worm behavior takes advantage of a security flaw in Windows operating systems that has since been rectified via a security update released in March 2017. If your Windows Update services have been running successfully, then a machine that becomes infected will not propagate the virus any further. This DOES NOT mean that your network is immune to encryption, just that the spread of the virus will be contained.
What You Can Do
The WannaCry ransomware, or any other variation of ransomware, can be prevented by putting in place good security practices within your organization. In most cases, viruses of this type need to be “invited” into the system, meaning that by some unwilling user action the virus is introduced to the environment and proliferates. Below are some best practices regarding security within your environment.
The ubiquity of email makes it an ideal vector for the introduction of ransomware. Common “phishing” emails request that a user enter their username and/or password for a given service, and can be expertly disguised to come from trustworthy sources such as Amazon, Microsoft, ADP, UPS, etc. Other emails inform a user that a file has been shared with them and is available for download, also expertly disguised as originating from DropBox, Google Drive, etc. Via these phishing emails, a user can unknowingly expose their network to a virus.
Here are some tips to help users spot these attempts:
- DO NOT enter in any credentials to an existing service you have via an email link. If a user has requested a password change for a reputable service, the email sent to them will NOT ask for their current username or password.
- DO NOT download any file attached or linked to in an email unless the user was expecting a file from the sender. The user might need to reach out separately to the user to verify that the email in question was valid.
- DO check the sender email address for any usual abbreviations, variations, etc. E.G. A phishing scam may have a sending address of “amzn.com” or “email.amazon.com” instead of “amazon.com.” Even then, email spoofing may disguise the sender’s email as being valid, so practice the above points carefully.
Another means by which ransomware may be introduced into the environment is via security holes within the network. If your organization is utilizing certain remote software or services, it may be required that ports be opened on your network firewall or that users frequently log in using their security credentials. While these openings are required for your business to function, there are some simple ways to heighten the security of your network.
- DO NOT open common ports in your network firewall. Attackers know common ports that need to me made available for certain protocols to function, e.g. 3389 for Remote Desktop Services, 21 for FTP. These ports are closed by default on most firewalls and should remain closed, or if needed, they should be configured in a more secure manner.
- DO NOT have users use one password for everything. Variability means that if a users’ credentials are compromised, not all services associated with that user will be, as well.
- DO enforce complex user passwords. Users should have complex passwords that utilize capital and lowercase letters, numbers and symbols, and they should never include information like birth dates, plain-letter names, the username, etc.
Interested in how TechWise Group could help you?
Contact us at firstname.lastname@example.org.
If you would like additional information from Microsoft regarding the WannaCry ransomware variation, the following articles have been released by Microsoft:
The link below outlines the MS17-010 security update released by Microsoft in March 2017: