On 12th May 2017 computers around the world were hit with the largest ransomware attack ever recorded. Within 72 hours of the attack, over 200,000 computers in 150 countries across the globe were affected.
How did the ransomware attack happen?
A form of ransomware called WannaCry began spreading on Friday 12th May 2017. Cyber experts are suggesting the malware has most likely been introduced into affected computers using phishing attack techniques. As soon as a computer system has been affected, the malware spreads to other computers by taking advantage of a vulnerability in the Microsoft Windows operating system. The WannaCry ransomware encrypts files on a computer, blocking users from accessing all files and demands payment of a $300 ransom in Bitcoin to decrypt the files. The ransom increases to $600 if the $300 is not paid within three days and if the ransom remains unpaid within seven days the files are permanently lost.
Who has it affected?
The National Health Service is the most high profile organization in the UK to be affected however other public sector organisations such as the Indian State police have also been targeted. Large corporate and commercial businesses have not escaped the attack, with car manufacturing giant Nissan and FedEx also becoming victims.
Graphic source: MalwareTech
Despite news organisations focusing on high profile brands that have been affected, the attack has been completely indiscriminate and the vast majority of businesses affected are likely to be small and medium sized businesses as well as personal computers at home. At this stage, there is no evidence to suggest the creators of the ransomware have been able to access data and information held within the affected files, so previous fears that confidential information may have been stolen as part of the attack do not seem to have transpired.
Is the attack over?
In the last few days it seems the attack appears to have lost momentum, however this is partly due to the actions of a 22 year old cybersecurity researcher who is based in the UK called Marcus Hutchins, under the alias “MalwareTech.” He discovered a “kill switch” in the WannaCry ransomware and as a result, it has been reported his actions may have prevented over 100,000 additional attacks. There have been unconfirmed reports that the ransomware has reappeared without the ‘kill switch’, so businesses are being advised to be extra vigilant and mindful of suspected phishing e-mails over the coming days and beyond.
Is the version of Windows used in my business vulnerable?
In April 2017 Microsoft released a patch that eliminates the vulnerability in newer versions of Windows. However if you are running computer systems on older versions of Windows your business may have been extremely vulnerable if you did not apply the updates that were made available from Microsoft. There are other ways your business can continue to use older versions of Windows and avoid the attack. This can be achieved by disabling the vulnerable aspects of Windows and configuring firewalls to block attacks that target the access ports used by the vulnerability. Some antivirus software may have also detected the ransomware. Unfortunately, as the last few days have demonstrated, many businesses and organisations of all sizes did not apply the updates and patches after they were released by Microsoft last month or take the necessary actions to prevent the attack infiltrating their systems.
If my business has been targeted by WannaCry ransomware, what should I do?
Computers affected by the WannaCry cyber-attack will have the image below on screen. As with most ransomware attacks that encrypt files, you are left with the choice of restoring the encrypted files from backups or paying the ransom, however government authorities and the police are encouraging victims not to pay the ransom because there is no guarantee the attackers will release the files. Any restoration from backups must also eradicate the malware from your computers. In addition to addressing the attack itself, you should immediately notify your insurer under any potentially applicable cyber or ransom insurance policies. At the time of writing this article, the total ransom amount paid had reached $56k.
How can I avoid potential future cyber-attacks?
There are several, relatively simple steps you can take:
- Train your staff to recognize phishing attempts which will reduce the chances ransomware could enter computer systems.
- Microsoft quickly issue software patches when vulnerabilities are flagged. Don’t delay! Update your systems regularly, especially when a ‘patch’ becomes available. These fixes are not typically installed automatically so ensure those responsible for risk management and I.T support have efficient processes in place to ensure that they are notified of update availability and take action on a regular basis.
- Introduce application whitelisting to prevent all unauthorised software from running.
- Install advanced malware protection, such as artificial intelligence-based software to identify unusual system activity.
- Always backup systems regularly. Restoring the effected files from your backup is the most effective way to resolve the issue quickly. You should also consider backup of files to be saved on a different system so that a ransomware attack cannot encrypt the backup.
- Install and conscientiously update antivirus software.
- Ensure that the company has an incident response plan to follow when a ransomware attack takes place.
If I have Cyber Insurance cover, would it protect me from the implications of a ransomware attack?
Cyber insurance cover can be crucial in your organisation’s ability to recover quickly from a ransomware or any other type of Cyber-attack and prevent or mitigate resultant financial loss. One of the main benefits of arranging Cyber insurance cover is often access to valuable expertise and provision of a 24/7 helpline to provide assistance in responding to an incident immediately as well as cover for forensic, investigative and crisis management costs. Additional covers may include the costs associated with loss of data and restoration, business interruption losses due to network security failures and cyber extortion damages and expenses.
If you have any questions relating to this article or would like information on what options can be considered for Cyber Insurance cover at your business, please contact Troy Johnson on 0151 236 5656 or e-mail firstname.lastname@example.org who will be delighted to assist with your enquiry.