Share to Facebook Share to Twitter Share to Google Plus Share to LinkedIn

An estimated 200,000 or more victims in over 150 countries have been paralysed by the WCRY ransomware virus which has its roots in a treasure trove of US Government malware released by the 'Shadow Brokers' hack into the public domain.

Concern is still high as the attacks continue, and many organisations including the NHS are firefighting to try to clean up the mess. Many fear more spikes in malicious activity as people return to work today after the weekend and computers are turned on, potentially waking up further dormant infections.

Should I be concerned?

The malware attack Wanna Decryptor does not affect Windows 10 systems, or any Windows 7, Windows 8.1 or Windows Vista PC that has received the March 2017 batch of Windows Updates. However Older MS Operating Systems or PCs that have not received the March 2017 updates may be vulnerable. EC2 IT advises clients to set all PCs to install Windows Updates as they are released, so the likelihood is that systems are not vulnerable.

What the malware needs to take hold

The ransomware attack – known as Wanna Decryptor or wcry – can affect all versions of Windows up to and including Windows 8.1 that are not sufficiently up to date with Windows Updates. Windows 10 is not vulnerable to this attack.

Microsoft released a Security Update in March to fix this exploit in all currently supported editions of Windows, however if you are using an out of date version of Windows, e.g. Windows XP, or have not allowed Windows Update to run and install the update, released on 14th March 2017, then you could be affected.

All Windows Servers managed by EC2 IT are updated on a monthly schedule to ensure they are protected from threats. If you are still using Windows Server 2003 we would advise upgrading to a newer version as Server 2003 is still vulnerable.

Currently there is no evidence of how the attack first gets into a company’s network, however you should always be suspicious of unsolicited e-mails and never follow links or open attachments in e-mails you aren’t expecting.

What we’ve done to mitigate against this form of attack

EC2 IT have advised all clients in the past to migrate away from Windows XP, prior to its end of life in 2014, and believe that none of our clients are actively using this Operating System.

Windows Server 2003 and Windows 8 (MS only currently support the free upgrade version Windows 8.1) also have the same vulnerability as they are not actively supported by Microsoft and therefore do not receive security updates.

For all clients with other Windows OS we, by default, ensure that automatic updates are enabled and that these run on a regular basis, providing users fulfil their part and switch off or reboot their PCs regularly to allow the updates to install. For larger clients, we can centrally manage the installation of Windows security updates to ensure that these are always regularly installed.

We also advise our clients to utilise a hardware firewall for their internet connection, which can be locked down to prevent external access to their networks and thus preventing such attacks from spreading easily from external sources. This limits the ways such attacks can spread.

We also advise clients that users on their networks do not have administrative rights on their PCs by default, as this allows malware to be installed and propagate.

Should you pay the ransom?

Almost definitely not. You are dealing with criminals, and have no guarantee of them honouring the transaction. As of 16/5/17 the BitCoin purses attached to the attack have only accumulated £50k in payments, low for an attack of this scale, with some speculation emerging that it was either a politically motivated attack or a huge accident. Instead restore your files from backup at the last confirmed 'clean' date and accept, unfortunately, that you may suffer some data loss.

How we can help

EC2 IT offers a range of services to bolster your network security such as (but not limited to): 

  • Website filtering systems and outbound port & traffic restrictions
  • Installing modern routers/firewalls with gateway antivirus protection (to scan packets for viruses at firewall level before they enter your network)
  • Centrally managed corporate antivirus installations
  • Centralised update and patching management via WSUS to monitor Windows Updates and confirm client workstations are installing vital updates.
  • Creating a “Guest” wireless to protect against potentially infected personal devices being attached to company network
  • Removal of un-necessary administrator rights from workstations to limit malwares ability to spread (and users ability to accidentally install malware)
  • Security audits
  • IT Policy implementation and review assistance to ensure users are aware of the dos and don'ts of using your corporate IT systems
  • End user security awareness training
  • Machine disinfection
  • Forensic analysis and reporting
  • Security testing

Current clients of EC2 IT can contact our team via the usual channels if they have any concerns though we are currently contacting all of our clients to reassure them as to their level of protection.

If you don't currently work with us and have concerns about this or any other IT Security matter that you woud like us to address, please contact us for IT Support or IT Security advice.

Further reading

EU Guidance on issue - https://ciso.eccouncil.org/wp-content/uploads/2014/04/Wannacrypt-wanncacry-briefing-2b.pdf?utm_source=cisosite

BBC coverange on whether to pay - http://www.bbc.co.uk/news/technology-39920269

City of London Police - https://www.cityoflondon.police.uk/news-and-appeals/Pages/A_Health.aspx