What happened in the largest global ransomware outbreak? What should you do?
Over the weekend, the world has seen the largest cyber attack of its kind spread across more than 70 countries. The UK NHS was an early victim as hospitals systems were encrypted reportedly causing shutdowns and delays in medical procedures. As the infection spread, numerous other organisations around the world also fell victim to the attack.
Although falling on a weekend in Australia may be a lucky break that assists in limiting the initial impact with a heightened awareness as we commence our working week. But we have not escaped unscathed with reports of some Australian businesses being affected.
The nature of the attack itself is not new. Ransomware spread by emails with malicious links or attachments has been increasing in recent years. This ransomware attack followed a relatively typical formula:
- Locks all the data on a computer system
- Provides instructions on what to do next, which includes a demand of ransom (typically US$300 ransom in bitcoins)
- Demand includes paying ransom in a defined period of time otherwise the demand increases, leading to complete destruction of data
- The encryption is carried with RSA-2048 encryption which makes decryption of data extremely difficult (next to impossible)
Typically these types of attacks do not involve the theft of information, but rather focus on generating cash by preventing critical business operations until the ransom is paid, or the system is rebuilt from unaffected backups.
Bitcoin is a form of digital currency that is not currently regulated in Australia and it is known for its anonymity. Access to digital currency in Australia may be a challenge for many people as there are limited suppliers of Bitcoin and Australian banks have been closing the accounts of digital currency providers.
The weekend attack involving ransomware known as ‘WCry’, also referred to as WNCry, WannaCry, WanaCrypt0r or Wana Decrypt0r, spread rapidly, exploiting a weakness in unpatched versions of Microsoft Windows.
How is it spreading?
Like most of the ransomware attacks this attack came through attachments on email and initial assessments are showcasing that once infected the ransomware spreads through a remote code execution vulnerability in Microsoft Windows computers: MS17-010.
The vulnerability MS17-010 is also known as ETERNALBLUE, for which a patch is available for newer versions of the operating system. Considering the impact of the malware Microsoft has also released patches for older operating systems including Windows XP and 2003.
Has the spread stopped?
News reports indicated that some respite was provided with the registration of the Domain name that the Ransomware code required it to check before further spreading the infection (referred to in the media as a “kill switch”). Registration of the domain was initially reported to have stopped the spread of the attack. The respite was however short-lived, when a day later new reports indicated that updated versions without the kill switch were up and running,
As we arrive at our desks to start the working week, we need to act fast. Organisations need to ensure staff are made aware of the risk, reiterating additional precautionary measures, whilst simultaneously ensuring that IT systems are protected including:
- KPMG recommends organisation should prioritise patching systems and immediately patch systems performing critical business functions or holding critical data first. Immediately patch Windows machines in the environment (post proper testing). The patch for the weakness identified was released in March 2017 as part of MS17-010 / CVE-2017-01
- Companies should forward a cyber security alert and communications to their employees requesting them to be vigilant at this time of of heightened risk and reminding them to;
- not open emails from unknown sources
- Be wary of unsolicited emails that demand immediate action
- Do not click on links or download email attachments sent from unknown users or which seem suspicious
- Clearly defined actions for reporting incidents
- Antivirus companies have released updated signatures and organisations should ensure that all systems are running current operating system patches and updates
- Maintain up-to-date backups of files and regularly verify that the backups can be restored. Priority should be on ensuring systems performing critical business functions or holding critical data are verified first.
- Monitor your network, system, media and logs for any malicious software, possible ex-filtration of data, abnormal behaviour or unauthorised network connections.
- Practice safe online behaviour
- Report all incidents to your IT helpdesk, immediately
These attacks happen quickly and unexpectedly. You also need to act swiftly to close any vulnerabilities in your systems.
KPMG’s Technical and Architecture team can assist clients and provide scanning of client’s environments to identify systems that are exposed to the vulnerability. KPMG’s Cyber Forensic team can assist clients with investigating, managing and recovering from incidents.