By now, you have certainly heard about the massive global ransomware outbreak that began yesterday, Friday, May 12, 2017. In what is being called the biggest ransomware outbreak in history, organizations in more than 100 countries were infected with this cyber WMD.
There is some good news to report this morning. A cyber researcher known as “MalwareTech” uncovered a kill switch in the hackers code and registered a domain that if, unregistered, triggered the encryption process. By registering the domain that was uncovered, the spread of the encryption attack was stopped, at least temporarily. What we can be sure of is that the hackers will be updating their code to circumvent their own kill switch now that it has been activated by someone trying to stop the attack. So while we are presently in a moment of reprieve, do not let down your guard.
Consider the impact to the United Kingdom’s National Health Service (NHS). The following screen shot is posted on their home page today:
Perhaps for the first time in history, people may have died as a result of this cyberattack, as it is reported that operating room and other critical health care systems involved in acute patient care were infected. All non-emergency services were suspended at as many as 40 NHS facilities yesterday.
Here in the United States, FedEx confirmed that one or more of their US based operations had been infected. The threat from this attack was so concerning that many companies instructed staff to shut down their computers and many networks were taken offline as a precaution until more is known.
In perhaps an ironic twist of fate, given current affairs, it is also reported that the Russian Interior Ministry had 1,000 or more encrypted machines. This attack spared no one.
It has been confirmed that this attack takes advantage of an exploit in the Microsoft Windows operating system, that was first discovered by the National Security Agency (NSA). The attack is using these exploits, which were made public by the group Shadow Brokers, earlier this year.
In yet another twist of irony, Microsoft quickly patched the exposure, once it was known, back in March. If your company employs a comprehensive patching strategy, you should have been safe from this attack before it launched. Unfortunately, many organizations treat patching their systems as a reactive task, when it absolutely, positively needs to be a proactive task.
I hear all too often, that organizations do not want to patch their systems until patches have been out for extended periods of time. The theory is to let others find and resolve, unintended new issues that may crop up from a new patch. In the past, this has been a legitimate concern. However, over the years, companies like Microsoft and others have classified their patches, based on what they are intended for. Simple feature updates that are more “nice to have” than “need to have” are typically wrapped up in non-critical updates that are distributed differently. In other words, there is just no reason for computer systems to be left vulnerable to an attack like the one taking place now.
What is also unique about this current attack is how it is spreading. It has a component to it that is referred to as a “worm”, meaning once it infect a computer on a network, it spreads itself to other computers in that network without those users needing to actually trigger the attack. That is one of the reasons this spread so quickly throughout the day on Friday. Another interesting aspect of this is that is appears that countries outside the United States have been hit hardest. This suggests that US based companies are actually doing a better job at managing their infrastructures that foreign organizations. However, do not allow that to give you a false sense of security if you are US based.
This attack was so successful that Microsoft even issued an emergency patch for Windows XP, the operating system that is now two generations back and support and updates for which, had been stopped by Microsoft back in 2014, 3 year ago! Despite the widely communicated and widespread understanding that Windows XP support was ending at that time, far too many computers are still online and running this operating system.
The Wall Street Journal produced the excellent graphic below, to show how ransomware infections spread and specifically, in step 4, how the current attack moved so quickly:
Hopefully your internal IT team or your IT partner is already scanning your network and ensuring that all of your computers are secured against this threat. Even if they have told you that you are safe, remain extremely vigilant. Never click a link or open an attachment unless you are certain, beyond a shadow of a doubt, that the sender of the message is legitimate and that they intended to send you the link or attachment. If it’s a link, consider retyping the link into your browser so that you do not run the risk of being redirected to a malicious site. You just can’t be too careful.