[paragraph]In our exclusive series of Interviews with Business Leaders & Experts, This month we are interacting with Kevin Curran, IEEE Senior Member and Cybersecurity Professor at Ulster University, about recent ransomware attacks. The following interview discusses the flaws that helped the spread of this virus and how IT admins and PC users can protect from such harmful ransomware.[/paragraph]
Interview with Kevin Curran on Recent Ransomware Attack
Q1. What is the status of the ransomware attack?
The trend for ransomware is showing worrying trends. Malwarebytes show increase from 17% in 2015 to 259% in 2016. WannaCry spreads by infected machines joining a network, rather than the traditional ransomware attack vectors which previously required each machine to be infected separately through malicious attachments. You can actually track the infections on the following site: https://intel.malwaretech.com/botnet/wcrypt/?t=5m&bid=all
Q2. Which regions are most affected and where is it potentially headed?
It is approaching 200,000 global infections. The worst areas affected are Russia and Europe. The USA is starting to also heat up.
It uses a known Windows exploit called EternalBlue was created by the NSA, and released to the public in April 2017 by a hacking group known as the ShadowBrokers. Microsoft did fix the problem in April but it seems that many system administrators have not updated their systems with the latest Windows patches. What is scary is that organisations like the NHS are running 15-year-old operating systems such as Windows XP which are unsupported for some time now. Microsoft have taken the unprecedented step of releasing fixes for Windows XP on this occasion. The scary and powerful feature of this malware is its ability to perform network scans over TCP port 445 (SMB) and compromise other machines. The result is encryption of files and the demand of a ransom payment in the form of Bitcoin. It also installs a persistent backdoor to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware.
Q3. Is this a new version that doesn’t have a “kill” switch? How do you think this attack may be slowed?
The spread of the attack was brought to a sudden halt when one UK cybersecurity researcher found and inadvertently activated a “kill switch” in the malicious software. It turns out that the virus was coded to check to see if an obscure website address was registered and live and to halt if this was the case. It was effectively a kill switch. This however can easily be overcome in a modified release which is what has already happened. Yes, this has indeed slowed the initial attack but this is only the first wave of such wormable ransomware attacks. Finally, the warnings that security experts have been sounding for years has finally come to the attention of the public – that is that more money needs to be spent on cybersecurity and that organisations need to run modern patched operating systems and educate their staff in safe computing and of course to simply back up. Regular off premises (or non-network attached) backups would have prevented this modern nightmare.
Q4. What can people do to protect themselves?
– The number one preparation for potential ransomware infection is to employ a proper backup policy. The backups should be serialised, with previous versions of files stored. Of course, these backups should not be stored on network attached drives as ransomware can infect shared and removable media. A good rule of thumb is the 3-2-1 backup strategy which is shorthand for 3 total copies of your data where 2 are local but on different mediums e.g. external hard drives and 1 which is off premises.
– Other preparations include deploying firewalls, active attachment scanning and web filtering in addition to IDS’s and anti-malware.
– Restrict user privilege is important as malware executes with the same privileges as the victim is running with.
– Make sure all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied. Organisations with SMB publicly accessible via the internet (ports 139, 445) should block inbound traffic.
– Of course, the most effective way for ransomware to gain a foothold on people’s computers is when people to click on links. Educate employees about the dangers of clicking on links.
– Having ad-blocking enabled can also help as ransomware is distributed through malicious advertisements served up to users when they visit sites.
There are limited options once an attack is underway due to the rapid file overwriting which is also the main indicator that ransomware is present. Activity-monitoring tools can potentially scan for distinctive patterns that indicate this and take the system or entire network offline to prevent the spread of the virus. Later, disk forensics techniques can be employed to recover unencrypted files. With the current wormable ransomware, then simply pulling the plug on the network/computers may prevent utter devastation but unfortunately computers are quite quick to execute code…