The world reeled this month as a pernicious piece of ransomware called WannaCry locked up files in computer systems around the world. Victims included the entire U.K. National Health Service and Spanish telecommunications giant Telefonica SA. Financial advisors should be wary of this ransomware and others like it, and protect against it by keeping operating systems (OS) current and backing up their files properly.
WannaCry has been more successful than previous malware, infecting thousands of computers around the world very quickly. Jeff Pollard, principal analyst serving security and risk professionals at Forrester Research in Charlotte, N.C., explains that this is because the software is unlike other forms of ransomware in the way it spreads itself.
Criminals typically distribute ransomware by sending spam mail containing infected files or links to websites that automatically download and install the malicious software. For these tactics to work, the mail must make it past spam filters, and the users must then click on the links or open the files. This latest ransomware is different, Pollard says, because it spreads via networks.
WannaCry uses a software “weapon” developed by the U.S. National Security Agency (NSA) to compromise targeted computers. The “exploit” aims for a vulnerability, nicknamed “Eternal Blue,” which exists in older versions of a file-sharing component of Microsoft Windows known as SMB. The security flaw enables an attacker to take control of a computer by sending certain kinds of messages to SMB.
An anonymous hacking team known as the ShadowBrokers stole this code from the NSA and released it in April. Those responsible for WannaCry appear to have bolted the attack code into the WannaCry ransomware, which is what caused it to spread widely and quickly.
Once infected with WannaCry, a computer does several things. First, it encrypts any files it can find, not only on the infected computer, but on any other drives attached to the machine, including network drives. Then, it looks for other computers on the local network and infects them. It also looks for other machines on the wider Internet to infect.
How can you protect yourself against it, or recover from an attack? If you have been hit, the first step involves disconnecting any machines that have been infected, according to an advisory from the National Security and Communications Integration Center in the U.S. Then, you should restore data from backups if you have them.
If a backup isn’t available, don’t pay the ransom, advises Mark Nunnikhoven, vice president of cloud research at security software vendor Trend Micro in Ottawa. Some ransomware criminals do send out encryption keys, but it isn’t a certainty, and you’re also sending money to criminals, which only serves to make the ransomware problem worse.
“In the case of WannaCry, we have seen no examples of anyone getting their data back,” he says.
Instead, take a copy of the encrypted data, he says, “and hope that someone cracks it.” Security companies have found the keys to ransomware-encrypted data in the past and saved victims’ data.
After taking these steps, you should completely wipe and reinstall your systems, Nunnikhoven says. However, this alone isn’t enough.
To prevent future attacks, be sure to apply the latest security patches. Microsoft issued a patch for the SMB flaw back in March, and if people had applied it, WannaCry wouldn’t have touched them.
Apply appropriate anti-virus security software and use OSes that are still supported. Many of the systems infected by WannaCry, such as Microsoft Windows XP and Windows Server 2003, are no longer supported by Microsoft.
The single most important piece of advice, though, is to back up your systems properly. This doesn’t mean replicating your files to an online service such as Box or Dropbox — which are cloud-based file systems, not backup systems. The difference is key.
In a cloud-based storage system, changes to files on your computer instantly update files stored in the cloud. A ransomware attack will encrypt your online files, too.
Use dedicated backups, which create a version of your files on a separate drive. Leave disconnected from your computer when backups are not taking place. Recent versions of Windows have this backup functionality built directly into the OS, while third-party products such as Acronis backup, from Burlington, Mass.-based Acronis International, offer extra features.
Photo copyright: maxkabokov/123RF