Another ransomware attack hits, this time on a scale never seen before. The spread has gone viral across a large and crucial network – the network underpinning the UK's National Health Service.
There are three main differences between this attack and previous ransomware incidents.
- The scale - it's gone viral in a very short space of time. This is because the ransomware uses "worm-like" behaviour to spread to neighbouring computer systems. It's one of the first well-publicised ransomware infections which spreads via direct network exploitation.
- The malware is exploiting a vulnerability in Microsoft Window operating systems - MS17-010. This vulnerability was disclosed last month in a NSA leak by a hacking group called "The Shadow Brokers". The very same toolkit used to hack into and secretly snoop on foreign governments is now in the public domain, and more worryingly, built into a ransomware worm. The vulnerability affects many Microsoft Windows operating systems, including out-of-support Windows XP.
- The malware has found itself on a vulnerable network, with a number of important outdated systems - the UK's NHS. Life-critical computers within the NHS network have had their integrity and availability severely compromised by this infection. The political blame game will likely roll on for a while, but it does appear that the impact of disruption to patients' health may have been miscalculated when compared to the risk of a widespread malware infection rendering critical internal machines useless.
We've had several clients ask us for pragmatic advice on what they should do. So, here's our advice:
- Traditional worms spread by exploiting a vulnerable service and leveraging this access to seek and exploit similar vulnerable machines. Enable host based firewalls. Microsoft Windows workstations do not typically require peer-to-peer networking. Only allow inbound connections from trusted hosts delegated for administration. Preventing direct access to the vulnerable service, in this case SMB (TCP port 445), will stop the spread of the worm.
- Patch your systems. Critical patches should always be deployed as quickly as possible. This applies to the operating system and all installed applications. If you are up-to-date with your Microsoft patches, the risk of onward network infection of the WannaCrypt/Wcry/WanaCrypt/Wanna Decryptor malware is reduced. The initial infection vector and ransom encryption risk may remain, but the worm-like spread should be contained. Whilst testing and rolling out patches can sometimes seem expensive in budget-constrained organisations, the cost of recovery will be many magnitudes greater.
- Take regular backups. If you have the luxury of a virtualised file server, take regular snapshots. You need to be able to recover quickly. You do not want to be in the position of considering paying the ransom; without backups, this may be your only chance of recovering your data, and at that point you rely upon criminals to keep their word and you encourage further attacks of this type by reinforcing the financial reward.
- If the worst happens, immediately mark all your file shares (data assets) read-only. You need to stop the spread when you find compromised hosts. Don't know where to start looking? Check the owner of the first encrypted file – often, this will be patient zero.
- Decommission or segregate legacy systems. If you must run Windows XP because it is providing life-support to a patient or a critical business function, remove it from the network. Do not join it to the corporate domain – an Active Directory forest is only as secure as the weakest host. If it really must be connected to a network, ensure you harden the host to reduce the attack surface.
- Perform regular security testing. Understand your risks and mitigate. Act upon the professional advice you receive. The vulnerabilities facing the NHS network have been widely known for years. This should not have been a surprise.
- Prepare for an incident. Know what you are going to do if the worst were to happen. Run a ransomware simulation. Understand how you would react, and how you would recover.
- The original infection is likely to be a phishing email, encouraging an unsuspecting victim to carry out an action, for example opening a document or visiting a website. Educate your users. If your users can spot a phishing email, they may avoid being patient zero.