A massive cyber-attack has struck organisations around the world. Among the worst hit was the National Health Service (NHS) in England and Scotland. According to the BBC about 40 NHS organisations and some medical practices were hit, with operations and appointments cancelled. As a precaution the NHS shut down all their IT systems.
Here at Alchemy Systems we were not affected neither were any of our clients. This is largely down to the fact that we ensure Windows automatic updates are enabled for all devices by default. This particular malware is heavy with file-based executables. This makes this particular threat very easy for an application whitelister to stop. We encourage all our clients to make use of a next generation Endpoint Protection product such as Adaptive Defence 360 from Panda Security. The application whitelisting function would have blocked this threat from the outset.
How WannaCry worked
So how did WannaCry attack so many organisations in so many countries?
The specific vulnerability that WannaCry uses to propagate itself is ETERNALBLUE. This is a vulnerability discovered by the United States National Security Agency (NSA). It was initially classified because it was very easy to ‘weaponise’ – this has now become very clear. Details of the vulnerability were released into the public domain by the group “Shadow Brokers” on April 15th as part of a larger trove of information stolen from the NSA. The NSA tipped Microsoft off about this stolen data and a patch was released on March 14th as part of the automatic updates process – almost two months before being exploited by Wannacry – and a month before public disclosure. Devices with the Microsoft patch installed are not vulnerable to the malware spreading on an internal network.This significantly reduces the impact of the malware.
The use of this vulnerability makes it particularly dangerous – weapon – and allowed it to spread laterally across an internal network. It is therefore a Worm as well as a common piece of malware. This explains why organisations like the NHS and Telefonica were so badly affected and why workstations that were not used for general email and internet use were infected. The bigger the institution the quicker and faster it spread amongst unpatched devices. Once a single device was infected it spread to all other unpatched devices on the same network.
Killing the Malware
Within 24 hours, a security researcher spotted a domain written into the malwares code which it contacts at the beginning of the execution cycle. The researcher registered it for a few dollars thinking he could sinkhole the domain and capture all the IP addresses in order to pass this to the authorities and the Shadow Server foundation to alert companies, ISPs and CERT’s which of their networks were affected and try to limit the spread. He realised later that the presence of the domain actually acted as a killswitch to the malware – and the spread has now virtually stopped. Until of course the next variant is released. There will still be plenty of unpatched devices next time around.
The Value of Cyber Essentials
Had the NHS, Telefonica, and the others, closely adhered to Cyber Essentials (a UK government certification) then they would not have been affected – or at least nowhere near so badly. Now the National Cyber Security Centre (NCSC) is working overtime to put them back together again.
More about Cyber Essentials from Alchemy Systems here http://www.alchemysys.co.uk/consultancy/protect-your-business-from-cyber-attack-gain-cyber-essentials-certification/
Avoiding such attacks
These are just some of the ways that any organisation can avoid an attack such as WannaCry.
- Make sure automatic updates are turned on for every device for every client
- Ensure all software is current and patched.
- Ensure no unsupported operating systems are in use
- Segregate devices onto separate LAN’s wherever possible
- Use application whitelisting
- DNS blocking would have blocked access to command and control shortly after the malwares release into the wild
- Have Cyber Essentials or even better, Cyber Essentials Plus certification
- Deliver regular staff awareness training
- Make regular use of phishing simulations
Alchemy Systems – IT & telephony supply chain, installation & support contracts
Alchemy Cloud – Microsoft accredited hybrid cloud solutions
Zynet – Software house supplying bespoke development, web services & SharePoint
Tel: 0330 043 0801Exeter 01392 248498F: 08707 059569
Our business grows by referral - know someone who would benefit from our help? We reward referrals