The unprecedented mass attack supported dozens of languages, indicating that the criminals were bent on wreaking as much havoc as possible with organisations ranging from the world’s biggest hospital groups, car makers, telecommunications firms, courier companies, rail operators and national governments being affected. F-Secure Corporation, a Finnish cyber security company, estimated that over 130,000 systems in more than 100 countries had been affected. China, India and Russia were particularly hard hit with almost 30,000 institutions across China having reportedly been affected, according to a leading Chinese security-software provider. F-Secure's chief research officer, Mikko Hypponen, said Russia and India were particularly hard-hit because many there were still using Windows XP, an operating system that Microsoft terminated support for in April 2014. However the software giant had already taken the unusual step of reissuing security patches for this and other older versions of its operating system starting in March this year and has been criticising the US intelligence agencies for “stockpiling” software code as it has become apparent that hackers managed to exploit the leak of such code for this latest attack. Yesterday Microsoft sent out a communiqué to users advising them to install their MS17-010 security update on Windows XP, 8 and Server 2003 machines as soon as possible to counter the threat. Windows 10 operating systems have not been affected by the attack to date. WannaCry encrypts all files it finds and renames them by appending ".WNCRY" to the file name. It also creates the file "@Please_Read_Me@.txt" in every folder where files are encrypted.
Eleven health boards in the UK, including the National Health Services (NHS) were disrupted by the attack with hundreds of operations and treatments reportedly postponed countrywide. Only in February this year, F-Secure Corporation had issued warnings of the likelihood of such a ransomware attack and the possible consequences, highlighting the damage that can be done to healthcare organisations should they not have access to patient data. The NHS reported that some doctors couldn’t access their patients’ test results after operations or before scheduled treatments and that the National Cyber Security Centre (NCSC) was working around the clock to normalise IT systems after the attack.
Having locked users out of their files, the attackers demanded payment in the form of the virtual currency Bitcoin in order to decrypt them to regain access, as has now become typical of these types of attacks. The amount asked for per attack was $300 in Bitcoin with a three-day expiry date, after which the payment demand would be doubled. A screen message on victims’ computers informed them that should no payment be received within seven days then the encryption key would be deleted and the files lost forever. Bitcoin has a public ledger that records all transactions that are made and to date there are reports of just over 200 victims of the attack having paid the ransom which has amounted to less than $60,000 for the criminals. This Friday will be the D-day though when the encryption keys purportedly get deleted due to non-payment and all eyes will be on these ledgers to see how much was paid in total.
It hasn’t been a good year thus far for many businesses as initially their employees returned to work at the beginning of the year only to discover that they had been locked out of their computers and company databases had been encrypted. Demands for large payments to be made, typically in the form of untraceable Bitcoin in order to regain access, then inevitably followed. When payments were made by those who decided to take their chances and pony up the money in an attempt to continue doing business as usual, some of them were then advised that the amount had subsequently increased.
If you wish to assess your current capabilities to handle ransomware attacks – or any other type of malware attack for that matter, please check out F-Secure’s practical handbook for endpoint protection. It will give you the tools to assess your current capabilities, give guidance on best practices and help evaluate the most critical requirements for an endpoint protection solution that can stop ransomware and other malware in its tracks.
F-Secure will also be visiting South Africa in June when they will be holding cyber security seminars with their local partner Camsoft Solutions at the Radisson Blu hotels in Sandton, Johannesburg and Sea Point, Cape Town with the possibility of an additional event in Durban should there be sufficient interest. The seminars are at no charge with places limited and available on a first-reply first-confirm basis.
To request attendance at one of these seminars, please visit the following seminar link.
Or for more information contact Jayde Martin az.oc.tfosmac@ofni, Tel. 0800 616765
www.camsoft.co.za