On 12 May 2017, over 200,000 computers across 150 Countries suffered at the hands of the WannaCry Ransomware attack, including rail companies in Russia, the NHS in the UK and most recently Victoria Police speed and red-light cameras. Today, we have Petya which works in a very similar way and has already affected Cadburys in Hobart and Global law firm DLA Piper. The cyber-attack is suspected to be the result of a vulnerable SMB port, as opposed to a phishing email.
*Wannacry/WannaCrypt and Petya hold computer systems hostage by demanding a ransom in Bitcoin in order to release data and the perpetrators threaten further fees if this is not paid immediately. There is no evidence to suggest that paying the ransom will release the data*
What is the lifespan of ransomeware?
- Since the patches have been in place, WannaCry has been in decline on a worldwide scale but it has not been prevented and can still affect computers running on older windows platforms.
- Petya is new and is still taking advantage of people who have not patched their networks and not implemented security updates.
- There may be copycat attacks that are proxy-aware or don’t rely on hard-coded domain name checks still to come.
- You are still be at risk in Australia if you have not kept your systems and networks up-to-date.
What machines are vulnerable to ransomeware?
A range of Windows client machines from Windows Vista through to 10 and Windows Server 2008, 2012 and 2016 have the vulnerability that was exploited. The complete list of Microsoft patches are available here. Windows XP also has the vulnerability, and despite being officially unsupported, Microsoft issued a patch for it recently.
The attack exploits a vulnerability in older Windows operating systems, namely: Windows 8, Windows XP and Windows Server 2003. Even though these older versions were declared unsafe, large businesses do still operate on these systems.
You’ve been lucky
If you’re seeing hundreds of media alerts over LinkedIn, Facebook and even on TV about a global ransomware event, but your current machines have not been infected yet, you are in a great position to protect your networks.
- Make sure your desktop, laptop, smartphone, tablets, servers, applications, IoT devices and anything else is up-to-date.
- Confirm your network security appliances’ configuration is up-to date.
- Ensure firewalls are configured to block any traffic these ransomware devices communicate on.
- Advanced AAA services, are constantly reviewing all network devices software, A/V and applications to confirm any out-of-date vulnerable devices and temporary block them from the network, until patch/fixed. Aruba ClearPass & Cisco ISE are great leaders of controlling this.
- Educate and inform your co-workers about these situations. A well-trained pair of eyes can sometimes be your last defense between clicking on malicious email or piece of software.
- Perform backups and snapshots.
- Keep your network infrastructure up to date, review the latest in security infrastructures and design. Even consider reviewing business insurance to include data loss due to ransomware.
Not so lucky….
So, Ted from accounting clicked on that funny cat email has infected his machine.
- Unplug the infected machine. As demonstrated by WannaCry ransomware attack, a vulnerability in older Microsoft OS allowed it to be easily transmitted and infect your co-worker’s machines.
- In the event you cannot unplug, e.g. it’s a wireless device, group of devices or a server. Than you must isolate the devices, using Aruba ClearPass or Cisco ISE, to control the devices access to the network. Or other network management systems like Aruba Airwave or Cisco Prime to manually disable.
- In extreme cases of a ‘attack’ you may have to isolate/disable the entire network. This is in the event where control has been lost and you require to protect your data.
- Do I pay the ransom? 100% NO, if you do, it encourages more of these attacks, there is no guarantee that you will get your device/data back and you can also be involved in the crime itself by paying.
- Report it to the authorities. This is a crime, and in today’s world, there are authorities out there trying to stop this.
Following an attack…
- Try to recover, typically after a massive attack, some have come up with an official ‘how to recover’ procedure. You can also engage a professional to try and recover the data that has been lost. Worst case scenario you can rely on your backups.
- Audit, Review and analyse what happened. All networks and IT systems are different, identifying how to prevent it. At this stage, it can be extreme valuable to identify other areas of vulnerabilities and address them.
If you are unsure about what to do in the event of an attack, please contact NetWireless and we can advise you on the best way forward.
NetWireless is a multi-disciplinary IT Network and management company specialising in Wi-Fi design, deployment, security and managed services. Speak to our technical consultants today (CALL 1300 324 844) to ensure your Wi-Fi infrastructure meets your needs.