The WannaCry Ransomware attack shows you can’t ignore IT security any more

The NHS was a high-profile victim of a WannaCry Ransomware attack that hit businesses in over 150 countries on Friday and over the weekend. Read on to find out more about the attack and how you can prevent your business from becoming the next victim.

Initially, it looked like the NHS was targeted specifically, but as time went on and more victims emerged, it’s clear this was a calculated Ransomware attack exploiting unpatched and outdated Windows systems worldwide.

Ransomware is a specific type of malicious malware that encrypts a user’s files and demands a ransom for their decryption. Find out more about what Ransomware is on our blog or in our handy infographic.

The healthcare industry is vulnerable to cyber-attacks due to this common issue of outdated systems; this means successful Ransomware attacks could ultimately result in lost lives. The NHS was an easy target due to its reliance on Windows XP, which Microsoft stopped patching in 2014.

However, placing Windows XP in the spotlight is something of a red herring; this attack comes down to a number of issues: users potentially downloading an infected file, systems that weren’t updated with important security patch MS17-010, and systems that weren’t backed up sufficiently.

Microsoft released this pre-emptive security patch in March, which highlights the critical importance of regularly updating systems. The malware comes in the form of a worm which, once downloaded, exploited a vulnerability in a number of Windows systems that hadn’t installed this patch. The nature of this worm means once one machine was infected, it was able to spread to all computers in the network.

It’s important to note that, while this vulnerability was exploited, installing this security patch alone won’t prevent this virus. Users should be wary of all email attachments, particularly macro-enabled content. See more on that below or in our previous blog on spotting Ransomware.

Interestingly, the exploit originated from the NSA. The National Security Agency originally discovered the vulnerability, but didn’t inform Microsoft. The NSA chose instead to keep the details to itself in order to hack computers for spying purposes. A hacker group called the Shadow Brokers stole information about this exploit and auctioned it off on the internet, along with a number of other NSA hacking tools and exploits.

As of Friday afternoon, over 40 NHS Trusts across England were incapacitated, with doctors and nurses unable to access vital patient records, GPs resorting to pen and paper without access to patient history, non-emergency operations cancelled and a number of A&Es requesting the public only use the service if it was an emergency. Other high profile victims of the Ransomware attack include Telefonica and Vodafone in Spain, Nissan, Renault, China National Petroleum Corp and FedEx. Businesses large and small across the globe were affected with this virus, but the impact on critical services like the NHS and these other well-known brands brings it into the spotlight.

The number of victims was believed to be around 200,000 on Sunday afternoon but according to the US National Security Council, this number will likely grow today as users switch on their PCs. These users will still be vulnerable to the exploit, particularly if their IT security hasn’t been bolstered, or the patches haven’t yet been installed.

Microsoft has laid into the NSA and reiterated the urgency of effective cyber security in its response to the WannaCry Ransomware attack. President and Chief Legal Officer Brad Smith said: “As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems.” You can read his full statement on the Microsoft website.

The spread of the attack has been halted by a deliberate killswitch built into the Ransomware. The virus contained code that led to an unregistered web address, or domain. A security researcher from MalwareTech registered this domain in order to monitor the traffic – and thus the spread of the Ransomware across the globe. By registering the domain, the researcher halted the spread of the attack as traffic was then directed to an existing domain that had nothing on it.

What can I do to prevent these attacks?

If you haven’t been a victim of this particular Ransomware attack, this doesn’t mean you won’t be in the future. There are a number of steps you can take to protect your systems against future attacks – not just Ransomware attacks, but exploits in your operating systems that could lead to additional attacks.

Always update your systems

We know, Windows updates are notoriously laborious. But it’s no longer something you can ignore. These updates might be cumbersome but they’re deployed to keep your systems and your business safe from exactly this type of exploit. It’s worth checking for updates right now (search ‘Windows Updates’ in your Windows search bar) and if there are any waiting, install them now. Microsoft has made it clear that if businesses had installed its MS17-010 security patch, they could have avoided the attack.

Be vigilant with emails

The method of distribution for this attack hasn’t been made public yet, but it’s very likely to be a malicious email link or attachment. Previously, spammy emails were easy to spot as they were plain text and littered with spelling errors. Hackers are more sophisticated than ever now, and emails containing Ransomware, malware or phishing links look more realistic thanks to email spoofing. Read our blog on spotting spoofed emails. If in doubt, never click a link or open an attachment; speak directly to the supposed sender and alert your IT department.

Backup your critical systems and data

Because hackers are ever more sophisticated, zero-day attacks are now very common; these are attacks that exploit an as-yet-unknown vulnerability, meaning you could become the first victim of a new attack. Having a robust backup and disaster recovery solution in place means that, should your business fall victim, you’ll be able to restore not only your critical files but your systems too. Find out about the difference between backup and disaster recovery, and why it’s critical that your business has both in place.

Use a Ransomware-specific anti-virus

This attack exploited a security issue in Windows operating systems, which means the attack could have been something other than Ransomware. But this highlights the proliferation of Ransomware, which has seen a significant resurgence since last year. Ransomware attacks continue to hit and devastate thousands of businesses – don’t let your business be one of them. We recommend Sophos’ anti-Ransomware solution Intercept X, which prevents Ransomware viruses at the point of entry. What’s more, if your files have already been encrypted, Sophos Intercept X decrypts them. It’s an intelligent product that has protected many of our customers and ourselves from this global attack. We’re hosting webinars on Sophos Intercept X – sign up now.

What next?

This is one of the most widespread Ransomware attacks ever. While the NHS and telecoms and car giants Telefonica are the headline victims, this attack has hit businesses of all sizes – some of which may never recover from it. IT security can no longer be ignored. This attack is expected to continue as the malware evolves, so if you haven’t been hit yet it doesn’t mean you’re protected.