kaptn - Fotolia

Businesses urged to apply Windows patch to avert WannaCry attacks

Security advisers are urging organisations to patch their Windows systems to avert a possible second wave of an unprecedented, indiscriminate ransomware attack

More than 200,000 computers in 150 countries are believed to have been hit by WannaCry ransomware that encrypts data and demands payment for its release since the campaign started on 12 May 2017.

On 15 May 2017, the UK National Crime Agency (NCA) said in a tweet: "We haven't seen a second spike in WannaCry ransomware attacks, but that doesn't mean there won't be one."

The NCA said victims of cyber crime should report directly to ActionFraud and should not pay the ransom demand.

Analysis of three accounts linked to the ransom demands indicate that only about $38,000 had been paid by in the first three days of the attack, according to the BBC. 

In England, 48 National Health Service (NHS) trusts reported problems at hospitals, GP surgeries or pharmacies. In Scotland, 13 NHS organisations in Scotland were affected.

Internationally, Germany’s rail network Deutsche Bahn, Spanish telecommunications operator Telefonica, US logistics giant FedEx and Russia’s interior ministry were hit by the ransomware.

According to Kaspersky Lab, WannaCry infections were also detected in Australia, India and several countries in Africa and South America.

UK parliamentary workers and MPs were advised not to use non-Parliamentary email services on Microsoft Windows parliamentary IT equipment at the weekend. They were also told to avoid using Gmail, Yahoo mail and other personal email services on parliamentary equipment operating Microsoft Windows and “exercise caution” when opening email on personal devices.

Europol director Rob Wainwright and security advisors have warned of a possible second wave of the attack after a new variant of the malware was identified that has been modified to be immune to a temporary fix that was used by volunteers to slow down the spread of the ransomware late on Friday.

A UK security researcher known only as “MalwareTech” was among those who helped to limit the first wave of attacks by buying the domain used by the command and control (C2) server for the malware.

This slowed the attack and enabled MalwareTech, who wants to remain anonymous, to find a kill switch for the ransomware.

“The kill switch wasn’t discovered until about three hours after we’d bought the domain which had already killed all subsequent infections,” the researcher told Sky News. “From what I can see, it killed every infection that contacted our C2.”

Read more about ransomware

  • Businesses still get caught by ransomware, even though straightforward avoidance methods exist.
  • Criminals used devices compromised for click fraud as the first step in a chain of infections leading to ransomware attacks, said security firm Damballa.
  • The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
  • The Cryptolocker ransomware caught many enterprises off guard, but there is a defence strategy that works.

The ransomware, also known as WCry, WannaCrypt, Wanna Decryptor and WanaCrypt0r, exploits a Microsoft Windows vulnerability identified by the US National Security Agency (NSA), but then stolen by the Shadow Brokers group of hackers and published online.

Microsoft released a security update a month before the exploit was leaked, but according to security firm Digital Shadows, internet scans reveal that at least 1.3 million Microsoft Windows systems have not yet been patched with security update MS17-010 and therefore remain vulnerable.

Microsoft releases updated patch

On the first day of the attacks, Microsoft also released an updated patch for older Windows systems “given the potential impact to customers and their businesses. Patches are now also available for: Windows Server 2003 SP2 x64Windows Server 2003 SP2 x86, Windows XP SP2 x64Windows XP SP3 x86Windows XP Embedded SP3 x86Windows 8 x86, and Windows 8 x64.

“This attack demonstrates the degree to which cyber security has become a shared responsibility between tech companies and customers,” said Brad Smith, chief legal officer at Microsoft.

“The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cyber criminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems,” he wrote in a blog post.

This attack is “a powerful reminder” that information technology basics like keeping computers current and patched are a high responsibility for everyone, said Smith, adding that it is something every top executive should support.

“The good news for healthcare organisations and other businesses is that this threat is very stoppable as MS010-17 only needs to be applied,” said Becky Pinkard, vice-president of service delivery and intelligence at Digital Shadows.

“There are other methods of mitigating the risk available as well – from the application of access control lists to host-based hardening and even shutting off SMB [server message block] services in the Windows environment,” she said.

Ransomware may become more sophisticated

However, Pinkard warns it is only a matter of time before cyber criminals evolve the WannaCry ransomware to become even more virulent. Researchers have commented that the ransomware used in first wave of attacks is not particularly sophisticated.

Despite the concerns of a second wave of attacks as people return to work after the weekend, there have been relatively few reports of new infections so far, according to the BBC, which said there were just nine cases in South Korea, three cases in Australia, two in Japan and one in China.

The UK’s National Cyber Security Centre (NCSC) has highlighted guidance on how to protect organisations from ransomware attacks.

1. Vulnerability management and patching

Some ransomware gains control by exploiting software vulnerabilities in operating systems, web browsers, browser plug-ins or applications. Often these vulnerabilities have been publicly known about for some time and the software providers will have made patches available to mitigate them.

Deploying these patches, or otherwise mitigating the vulnerabilities, is the most effective way of preventing systems being compromised. However, as well as patching the devices used for web browsing and email, it is important to patch the systems they are connected to, since some ransomware is known to move around systems, encrypting files as it goes.

2. Controlling code execution

Consider preventing unauthorised code delivered to end user devices from running. One common way that attackers gain code execution on target devices is to trick users into running macros. An organisation can prevent these attacks from being successful by preventing all macros from executing – unless they have been explicitly trusted.

It is also good practice to ensure users do not have privileges to install software on their devices without the authorisation of an administrator. Remember that users may sometimes legitimately need to run code that you have not pre-authorised; consider how to enable them to do this, so that they are not tempted to do it secretly, in ways you can't see or risk-manage.

3. Filter web browsing traffic

The NCSC recommends using a security appliance or service to proxy outgoing web browsing traffic. Filter attempted connections based on categorisation or reputation of the sites which your users are attempting to visit.

4. Control removable media access

The NCSC advice on removable media controls can be found by clicking this link.

Read more on Hackers and cybercrime prevention