The ransomware, which is associated to the names WannaCry, WanaCrypt, WanaCrypt0r, WCry, and Wanna Decryptor, has infected thousands of machines worldwide. It spreads, like a worm, exploiting a Microsoft Windows vulnerability, scanning on a legacy network communication protocol Server Message Block (SMB) targeting computers that have not yet patched the exploited vulnerability. Ransomware works by encrypting the files on the compromised computer, which makes them inaccessible. The malware then requests a payment of $300 worth of the digital currency known as Bitcoin. Delayed payment within the specified timeframe results in an increased ransom penalty. Non-payment usually results in the loss of access to the encrypted files, forever.
What can I do now?
- Apply the Windows patch released on the 14th March (this will not help those machines already compromised).
- Prevent WannaCry from communicating on your network, block inbound traffic on SMB (ports 139, 445).
- Block connections to the anonymisation network Tor and specifically the Tor nodes and known Tor exit nodes.
- Update the rule base on your Intrusion Detection/Prevention (IDS/IPS) or firewall platforms with the publicly available Indicators of Compromise (IoC), Command and Control (CnC) and hash values for WannaCry.
What should I be doing next?
There are over 50 ransomware families, with some 300 strains, prepare for new variants of WannaCry which will appear in the wild this month.
- Review your backup strategy, back up your data and key platforms regularly. If you become a ransomware victim, restore your files from a backup instead of paying the ransom.
- Test your backup process. Practice recovery of backups and enterprise data centric platforms, which are at high risk to you.
- Install patches and updates immediately, subject to your patch testing processes. Many victims of ransomware are using outdated or unprotected operating systems.
- Install strong anti-virus and anti-malware software and keep it updated with the latest virus and malware definitions
- Educate your staff about Cyber hygiene and Phishing awareness, they will be the gateway for a future cyber-attack on your business.
- Take care when clicking links in emails.
- Exercise extreme caution when opening any email attachment. Think before you click!
- Take an extra moment to check unexpected emails you receive — even from trusted sources.
The National Cyber Security Centre (NCSC) threat guidance page will provide the latest up to date information on this Ransomware threat.
Richard Beck is Director of Cyber at QA. He works with customers to build effective and successful learning solutions tailored for business needs, helping to solve business problems. Richard has designed and architected numerous enterprise and nationwide cyber programmes for QA customers. Responsible for the QA cyber portfolio, products, proposition and cyber partner community. He has over 15 years' experience in senior Information Security roles.
Prior to QA, Richard was Head of Information Security for an organisation who underpin 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts in Defence, Financial Services and HMG. He holds a number of leading cyber professional certifications, including CISSP, CISM, CISA.
Richard sits on a number of industry boards and security advisory panels, and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI). He is the work stream lead for Cyber Skills & Diversity on the techUK Cyber Management Committee, in addition Richard is also supporting a work stream for the UK Cyber Security Council Formation project. Richard is a regular contributor for cyber insights and industry collaboration including speaker engagements.
He is also a STEM Ambassador working to engage and enthuse young people in the area of cyber security. Providing a unique perspective on the world of cyber security to teachers and encourage young people to consider a career in cyber security.
More articles by Richard
Cyber Pulse: Edition 137 | 13 November 2020
Cyber Pulse: Edition 136 | 5 November 2020
Cloud Native Security – Accelerate Left or Get Left Behind
Cyber Pulse: Edition 135 | 27 October 2020
Cyber Pulse: Edition 134 | 21 October 2020
Cyber Pulse: Edition 133 | 14 October 2020
Cyber Pulse: Edition 132 | 8 October 2020
Cyber Pulse: Edition 131 | 28 September 2020
Cyber Pulse: Edition 130 | 21 September 2020
Cyber Pulse: Edition 129 | 15 September 2020