By Matthew Dowling, IT Instructor at Lincoln Tech in Paramus, NJ
It’s no secret the pirates of the 21st century are no longer on ships. Instead, they are online and on Friday, May 12, 2017, the modern pirates struck again. The Wanna.Cry attack, like many other attacks in the last 4 to 5 years, used a piece of malware called ‘Ransomware’ to hold the files of unsuspecting users ransom for approximately $300. Those files could be personal documents, family pictures, and funny cat videos. But they could also be medical records, budget spreadsheets, design blueprints and human resources information.
If you know what happened and why the attack was so effective, then you will know how to protect yourself. If we don’t Wanna.Cry, then we have to protect ourselves.
You listen to the news, read the paper, and even catch half-conversations. Everywhere, people were talking about the huge cyber-attack that knocked out 12 major hospitals in the UK and over 200K computers in 150 countries. But what actually happened? Well that’s simple, someone, or some group, developed a piece of malware (which is simply short for malicious software) that seeks to encrypt or render files unreadable unless you have the ‘key’ that unlocks them.
But, there’s a catch. The only way to conceivably get the ‘key’ is to pay the ransom to the bad guys who locked your files up in the first place. It’s as if someone broke into your home while you were away, changed the locks, and then locked themselves inside. And there you are standing outside unable to get back into your own home unless they give you the new key, which they’ll happily give you if you slide them some cash.
You see, they don’t want your possessions. They want your cash. They have no interest or use for your baby pictures, funny cat videos, medical records or blueprints. They want money.
At a recent IT Focus Group at Lincoln Tech in Paramus, we covered the topic of Ransomware in some depth. However, Wanna.Cry was different from previous ransomware in a simple yet very big way.
That “big way” it was different is why was it so effective. We’ve all heard of Ransomware in some way, shape or form, but never the panic that ensued after the bloodbath on Friday. So, what was different?
Remember the NSA ‘Tools’ that were leaked by Shadow Brokers last month? One of those tools is a Windows exploit called EternalBlue that could trivially allow a remote attacker to run malicious software on a compromised system by exploiting SMB. SMB stands for “Server Message Blocks” and is essentially how Windows systems compose requests for other computers, as well as how those other computers respond to them. Blocks used to create messages for servers – Server Message Blocks.
Why is this important? Because the Wanna.Cry Ransomware’s initial attack vector (initial way of getting onto your computer) is still email phishing, malicious websites, and malvertising. But once it has infected one computer, it uses the EternalBlue flaw to automatically infect every vulnerable system on the network. It uses “Server Message Blocks” to convince other Windows systems that they Wanna.Cry, too. Since most corporate environments run Windows-based systems, it was only a matter of time before it spread like wildfire. Technically, it spread like a worm. And that’s what made this fast mover so different that everyone was talking, even CNN.
How can you protect yourself and your organization? Believe it or not, following these few Information Security best practices is the reason I don’t Wanna.Cry.
- Patch, patch, patch. What’s patching? Patching is applying updates for your applications and OS when available. Microsoft released an update that fixed the vulnerability EternalBlue exploits on March 13th. Even though most organizations are 2-4 weeks behind on patches for testing, there were about 2 months between the time of the fix and the release of the malware.
- Don’t click on links in or open emails from people you don’t trust. If you get an email asking you to click on the link, and you’re not expecting it, then don’t click the link. Period. If it’s your bank, separately visit the bank website. If it’s your favorite social media site, same thing. Phishing is highly effective and is one of the most common ways organizations are hacked or infected.
- Implement security devices to help detect and deter the malware. Some security devices such as AV, IPS, and email filtering can proactively thwart the threat ahead of the time if configured properly. In most cases, they can be set up to detect malicious activity once you know what you’re looking for.
At the end of the day, there is no silver bullet, no all-in-one solution for Wanna.Cry or future variants. The fact is, you can do everything right – have strong policies and good overall personal and company cybersecurity awareness – and someone can still thoughtlessly click on an emailed link and become infected.
Like fire safety in homes and buildings, nothing makes them fireproof. But the actions taken can prevent most fires and limit the damage in the event one does start. Similarly, the end goal in cybersecurity is to minimize the impact once the initial attack vector is successful, which we must assume is always a possibility.
About the author: Matthew Dowling is an IT Instructor at Lincoln Tech’s Paramus, NJ campus and a Cybersecurity Consultant specializing in Penetration Testing for STI Group, LTD in Glen Rock, NJ.