Some tears are undoubtedly being shed as what is likely the single largest cyberattack of 2017 makes its way around the world, paralyzing computer systems and businesses. The WannaCry ransomware attack is believed to have begun either with phishing emails containing malicious links or documents containing the virus. The attack targets computers that did not patch a vulnerability in Windows 10, Windows 7, Windows XP, and Windows servers. Once those corrupted emails or files are opened, not only does the virus encrypt files from a long list of file types, but it also scans the networks connected to that computer in search of similar vulnerabilities so that it can spread to other file systems and computers, and eventually hold entire file systems hostage. The organization’s files will remain encrypted unless it pays ransomware in bitcoin ranging from $300 to $600.
Once it’s in, WannaCry ransomware begins its insidious work by anonymizing communications with the attacker’s servers (hiding their names and locations). By making these communications anonymous, the criminals hide their attack and prevent the victim from intercepting keys that would unlock the data or bitcoin payment a victim might send. WannaCry uses a number of executable files to carry out different parts of the infection, which, in essence, scrambles the data into a new unusable format. The virus can read and encrypt 160 different file types. You will know that you are a victim if your files retain their names but have a .wcry or .wncry extension (as opposed to, for example, .docx or .vsdx). If that isn’t bad enough, WannaCry deletes all original files using files with these names: WMIC.exe, vssadmin.exe and cmd.exe. If the WannaCry virus has not yet been deployed in your organization, check to see if any of these files are on your system, and delete them to avoid inadvertently launching the virus.
Even if your organization does not currently believe that it has been affected by this virus, it should back up important files and install the latest Microsoft patches across its entire infrastructure where the Windows OS is used. Microsoft has issued an emergency patch, and since this virus can impact Windows 10, 7, XP, and servers, the entire infrastructure should be protected. This is especially important because the malware scans the entire local area network, then begins propagating the viral code to accessible external IP addresses.
The following are some best practices to protect against malware threats:
- Keep all software up-to-date, including all security updates and patches.
- Do not open or click on any emails from unrecognized senders.
- Back up files regularly on systems that are not connected to your main system.
- Make certain all files uploaded to a system from any source are virus scanned with software that detects the virus.
- Remove plugins and add-ons to browsers that are not certified to be virus free, and keep other plug-ins up to date, such as Adobe Flash Player, Adobe Reader, Java, etc.
- Keep all employees informed of their roles in abiding by your organization’s best practices.