LAYER3 Security Alert – WannaCry Ransomware Virus

Simply having an antivirus subscription is no longer enough to protect your organisation from today’s threat landscape.

On Friday, May 12, a global cyber-attack was launched using a ransomware program called WannaCry. It is estimated so far that almost 250,000 machines have been infected in 150 countries, which according to Europol, makes it an attack on an unprecedented scale. That number is sure to grow as the attack continues to spread and more impact is reported. It is imperative that all businesses take immediate steps to ensure the integrity of their network and data – this is a very real and very imminent threat.

WannaCry highlights the true menace of ransomware, virus and malware attacks on businesses and the extreme importance of having robust, managed security systems in place.

About Ransomware

Ransomware is a particular breed of malware that carries out what is called a ‘cryptoviral extortion attack’. In simple terms, what this means is that the software, once it has found a way into your network, will generally encrypt the files or the entire hard drives of the targeted machines or lock you out of the operating system altogether.

It will then display an image with instructions on the ‘ransom’. This is the amount demanded by the perpetrator to release your files. Payments are required in BTC because this crypto-currency is untraceable. There is also usually a time limit given to comply, after which the price will either go up, or the data will be lost forever.

Ransomware can find its way onto your network through a variety of means, but most commonly by ‘phishing’, a tactic that induces the victim to click on a link in a malicious email or on a malicious website. Once that magic button is pushed, the program gets to work, worming through your files, scanning for any other machines connected to yours, encrypting them all as it goes.

More on WannaCry

Like most ransomware attacks, WannaCry spreads through phishing emails, but what makes this attack so dangerous, is that it exploits a vulnerability in Microsoft and uses a backdoor tool developed by the US National Security Agency (NSA). Once a machine is infected, it will scan and propagate to all other computers and servers on your network. All infected machines are encrypted, files are locked, and a message appears demanding a ransom be paid or the victims will lose their data.

The tools used to launch the Wannacry attack were leaked from a group within the NSA and work by exploiting a vulnerability in Microsoft’s Server Message Block (SMB) protocol. When the leak became known, Microsoft released a critical advisory and security patch. However, many systems did not implement that patch due to a variety of reasons such as compatibility restraints, negligence, other risk factors or just a lack of proper management and awareness. Any machines without the patch that came into contact with WannaCry were likely infected.

While the amount demanded is relatively low ($300 at the first level), the impact of WannaCry so far has been massive. The National Health Service (NHS) in England and Scotland had up to 70,000 devices hit and some NHS facilities NHS services had to re-direct ambulances and turn away non-critical cases. Other examples of large enterprises hit hard include Telefónica in Spain, Nissan Motor Manufacturing, FedEx, Renault, Deutsche Bahn railway in Germany, etc. In New Zealand information is limited so far, but one known victim so far is Lyttleton Port in Christchurch.

The Layer3 Response

Notifications on the WannaCry event came flying in via our security devices and security vendors. We quickly established that this attack was exploiting a bug in Microsoft Windows. Although all Layer3 managed services and security customers had already been patched for this exploit, our team still went through a process of verifying this patch implementation across all customer networks and our own in-house cloud infrastructure.

These checks were completed by Saturday evening with no issues encountered. Our firewalls, antivirus, and mail filtering tools were all updated as soon as the threat became known. To date our main cloud infrastructure has seen around 5,000 attempts to broadly attack our networks. We have only received a small number of emails which have been blocked through our Mail Filtering system.

What can you do to protect your business?

The days of purchasing an annual antivirus (AV) subscription – or worse, not even doing that – are long gone. Low-end antivirus tools operate by blocking threats from a list of definitions, which means that they can only stop a virus that is already known about.

When something new like WannaCry breaks out, as they do all the time, definition-based AV tools are worse than useless. At the absolute very least, you must use an AV tool that operates based on ‘behaviour’ – they identify suspicious behavior from a program and shut it down. Layer3, for example, uses BitDefender in our managed security stack. BitDefender is consistently in the top 2 ranked AV tools in the world and stopped WannaCry out of the box.

Antivirus just isn’t enough though to protect the integrity and continuity of your vital business infrastructure.

Here is a list of some important components to ensure the best possible protection for your network:

Security Gateway – a next generation firewall that guards against external attacks, fully managed and monitored by Layer3.

Managed Antivirus – Layer3’s best of breed, fully monitored antivirus service learns and watches behavioral patterns on a system which can predict malicious activity.

Managed Patching – Automated management of patching to ensure critical security and performance updates are consistently installed on all machines. Included on most Layer3 Managed Services plans.

DNS Protection – Building on from the Security Gateway product, if an attack gets through, Layer3 DNS Protection will among other features, stop the virus from ‘calling home.’

Replication and Recovery – Cloud Shadow from Layer3 will completely replicate your infrastructure offsite and allow you instant recovery in the event your servers fail or are compromised – even to an online virtual server.

Managed IT – IT security can be complex and multi-faceted. A comprehensive IT managed services plan from Layer3 will help guide your organisation safely through the many pitfalls and hazards that can plague any business in this world evolving technology and very real cyber threats. A feature-rich managed service should be the cornerstone of every organisations IT strategy.

Security Consultation

To talk about improving your security and/or IT management, contact Daniel Bohan at Layer3 on 0508 LAYER3 (0508 529373) or info@layer3.nz.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *