Protect Yourself from WannaCry and Other Ransomware Variants
May 16, 2017
Last week, thousands of companies across 150 countries felt the effects of an extensive ransomware cyberattack, known as ‘WannaCry’. The ransomware blocked users on infected computers from accessing their files, unless a ransom was paid, effectively crippling business operations for many enterprises across the globe. Financial and economic losses from Wannacry could swell into the billions of dollars, making it one of the most damaging incidents involving so-called ransomware.
One of the major targets of this attack was Britain’s National Health Service, NHS, which left doctors from 16 health institutions unable to access patient files. Many non-urgent operations were cancelled, and affected hospitals were forced to divert ambulances to nearby institutions. In a 2017 report on cybercrime in healthcare, sponsored by Herjavec Group, Cybersecurity Ventures predicted that ransomware attacks on the healthcare industry alone would quadruple by 2020.
Cyber criminals, and by extension ransomware, are rapidly evolving. The recent surge in ransomware can be attributed to a lowered barrier to entry, with variants of ransomware that can be deployed by the everyday user. Ransomware-as-a-service (RaaS) is ransomware authored by advanced hackers, which is then sold or made available for others to download and use. Cheap to purchase and easy to spread, RaaS was a big theme that dominated the conversation around ransomware at RSA Conference 2017. Matt Anthony, Herjavec Group’s VP of Incident Response, notes, "This is a security threat that should be on a downward trend, but we’re seeing the opposite.”
Whether through a link in a malicious website/phishing email, or through a security vulnerability in a piece of outdated software, there are many variants of ransomware out there, and even more ways that ransomware can infect your devices. In order to best protect your organization from future ransomware attacks of WannaCry proportions, please review the following list of well-known ransomware variants and steps to mitigate the risks associated with them.
Common Ransomware Variants
First discovered in 2013, CryptoLocker infects the target computer via a social engineering attack and encrypts all the data before prompting users to buy the decryption password by paying the ransom. Another version of CryptoLocker, known as TorrentLocker, recently started spreading using a similar tactic — urging users to download, and open, a macro-embedded Word document to not only encrypt all the files, but also harvest usernames and passwords from the infected computer.
Released in 2016, the Locky variant uses malicious macros in Word documents to infect a computer, advising users to “enable macro” to decode the document. When enabled, the ransomware quickly spreads through the computer, encrypts all files using the .locky file extension, and asks the victim to pay the ransom in exchange for the decryption key.
This ransomware was first introduced in 2016 and was propagated through publicly-available pen-testing tools, primarily to target the healthcare industry. Samas was noteworthy in that it spread through an entire network quickly and efficiently by stealing domain credentials, identifying targets, and moving laterally through the network.
WanaCryptor 2.0 (WannaCry)
This ransomware variant leveraged leaked NSA tools to instigate a global cyberattack by spreading via a known vulnerability (MS17-010). Herjavec Group covered this attack in a recent blog post, along with some tips on how to mitigate the risk of a potential infection.
Mitigating the Risks
Since Herjavec Group does not recommend paying the ransom in a ransomware attack, here are some steps users can take to resolve attacks by popular ransomware variants:
- Train your staff to recognize a phishing scam and other common social engineering tactics used by cybercriminals.
- Regularly back up all data on all computers to lower the risk of data loss.
- Unplug the network cable and turn any infected machine off to remove it from the internal network and stop the ransomware from spreading to other devices.
- If your business has a BYOD (bring-your-own-device) policy, ensure that your staff are aware of any risks associated with using their own devices at work.
- Regularly update and patch all applications to avoid being exploited by vulnerabilities used by cybercriminals to propagate the ransomware.
- When downloading any documents through email, always disable macro scripts and using Office Viewer software to view the downloaded documents.
- Restrict the ability to install software applications using the “Least Privilege” principle for all systems and services.
- Build a stronger security plan by whitelisting certain trusted applications that may be used by employees and requiring the use of a VPN for remote work.
Although the risks associated with ransomware and other cyberattacks may never decrease, there are a number of steps businesses can take to lower the risk of being targeted. Unfortunately, many businesses don’t prioritize security and as a result, when a security incident occurs, they are often ill-prepared to manage the risk effectively.
For in-depth technical guidance on how to protect your organization from ransomware, please connect with a security specialist here.
About Herjavec Group
Dynamic IT entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. Herjavec Group delivers SOC 2 Type 2 certified managed security services supported by state-of-the-art, PCI compliant, Security Operations Centers, operated 24/7/365 by certified security professionals. This expertise is coupled with leadership positions across a wide range of functions including consulting, professional services & incident response. Herjavec Group has offices globally including across Canada, the United States, and the United Kingdom. For more information, visit www.herjavecgroup.com.