05-16-17 | Blog Post
Companies across the globe are still reeling and recovering from the global ransomware attack known as WannaCry on Friday, which took down tens of thousands of machines in 150 countries, including Britain’s National Health System. How and why did this happen?
We’ve talked at length about ransomware and how it’s distributed, how it particularly affects healthcare, and the rise of ransomware as a service. Friday’s attack was unusual in how quickly the infection spread, but it also reminded us of an age-old life lesson: It’s really important to keep your systems patched and up to date.
The security world has been saying it for years, but now it has another true-to-life case in point: Update your machine when it tells you to. The attack on Friday took advantage of a zero-day vulnerability in all Microsoft systems before Windows 10. Microsoft had released a patch for it back in March (even issuing a rare patch for the now-unsupported Windows XP systems), but most people treat system updates the way they treat pre-cancer screenings: “I’m fine now, so why should I worry about it?”
Well, just like you don’t want cancer when you’re older, you don’t want ransomware, either. Company-issued patches often address security vulnerabilities and keep your system better protected against ransomware and other malicious activity. For personal computers it’s a matter of dedicating the few minutes it takes to install the patch(es) and reboot. For enterprise, it’s a different story. It’s not only the time it takes to install patches on potentially hundreds of machines, but there are software compatibility and patch priority issues as well, which can turn a simple update into a much more complicated mess. It’s for these reasons that many enterprises are slow to patch their systems, and this unfortunately leaves them as prime targets for malicious actors to take advantage of.
WannaCry (and now new variants) are exploiting a vulnerability in Windows known as SMBv1 and SMBv2. SMB , known as Server Message Block, is a networking component of Windows that’s mainly used for providing shared access to files, printers and miscellaneous communications between nodes on a network. Security researchers believe that is how the infection has been able to spread so quickly–much more quickly than anticipated.
You might have noticed that while the WannaCry attack from Friday hit thousands and thousands of computers, the total ransom collected so far is less than $100,000. That’s pretty low by ransomware standards. There are a few reasons for this:
A security researcher going by the name Malware Tech accidentally stumbled upon a killswitch built into the malware, which stopped Friday’s infection from spreading. However, a new variant of the malware has already been released, known as Uiwix. This new variant is believed to no longer have the killswitch built in, which means the only way of stopping the new infection is to patch the SMB vulnerability in Windows. Information can be found for Microsoft here for WannaCry support, as well as direct downloads for each version of Windows with the SMB vulnerability. Be sure you’re also running a robust antivirus that can check for new malware strains as they appear.