Security Advisory: Ransomware Attack – WannaCry

On May 12, 2017 a new strain of the Ransom.CryptXXX (WannaCry) ransomware began an unprecedented attack on organisations worldwide.  Affected organisations and users are not able to access their files, with messages on their screens informing them to pay up or be locked out.

HOW IT WORKS:
Wannacry is a form of ransomware that locks up files on your computer and encrypt them in a way that you cannot access them anymore.

When a system is infected, a pop-up window appears with instructions on how to pay a ransom amount of $ 300 to $ 600 in Bitcoin to be paid by May 15, or, in the event that deadline is missed, a higher fee by May 19.  While the messages on the screen say files will remain encrypted, it’s not yet clear if there are flaws in the encryption scheme that might allow the victims to restore the files without paying the ransom.

It targets Microsoft’s widely used windows operating system.

HOW IT SPREADS:
Ransomware is a programme that gets in to your computer, either by clicking or downloading malicious files. It then holds your data as ransom.

WannaCry is not just a ransomware program – it’s also a worm. It gets into your computer and looks for other computers to try and spread itself as far and wide as possible.

WHAT SHOULD YOU DO TO PROTECT YOURSELF?
The first line-of-defence is you.  Be vigilant.

Do not open any unusual email content, suspicious attachment or click on links embedded in emails.  Copy and paste the URL into your web browser instead.

Always check the sender’s email address to confirm that it is a valid one. Spoofing and phishing are common tactics used to try to gain access to your computer and its data.
WHAT CAN YOUR COMPANY DO TO PREVENT SUCH CYBER ATTACKS?
If you are using Microsoft Servers, or are Windows Users, one of the immediate actions is to ensure all critical patches are updated, especially Microsoft’s recommended fix MS17-010  should be installed without delay.

If you have Cloud-based antivirus software implemented, be sure to contact your IT support to ensure all checks are done. If there is Ransomware in specific workstations, they will likely be quarantined – We recommend to remove them, conduct full deep scans, and ensure all signatures are up to date. If any workstation is at risk, please disconnect from the network and call your IT support team to check them.

For your firewall, do ensure you have an active and properly configured gateway security subscription, which enables the automatic receipt of signatures from known Ransomware attacks such as WannaCry.

WHAT SHOULD YOU DO IF YOU SUSPECT YOU HAVE BEEN INFECTED?
Call your IT support team.
If you have got your files backed up in a completely separate system, there is likely a way to restore them without having to pay the hackers.

More information about Ransomware and Wannacry can be found below from SingCERT (Singapore Computer Emergency ResponseTeam) :
https://www.csa.gov.sg/singcert/news/advisories-alerts/wannacry-ransomware
(click on link, or copy and paste the URL into your web browser)

Sample pop-up window from an infected system below:

WannaCry sample infected screen shot