It has been a busy month for cyber criminals! There is a new threat spreading across the internet that we want to make you aware of. This one, referred to as “WannaCry”, has the ability to spread across servers, laptops, and PCs automatically! In other words, it does not require a user to click on anything; it just spreads!
Once a machine is infected, all files get encrypted. This includes locally stored files and files on the network. The only way to decrypt the files is to get the decryption key form the cyber criminals by paying a ransom with Bitcoins. Since Bitcoins are untraceable, yet still hold real value, it is a perfect way for cyber criminals to stay hidden, while still getting paid.
News of this vicious ransomware is spreading all over the internet, with almost every news outlet providing new stories and updates throughout this weekend. In fact, several CentraComp customers have sent emails and called us about this, wondering what can be done to keep them protected.
At CentraComp, we take matter like this very serious! We have spent this entire weekend checking, double checking, and triple checking your environments! We are pretty confident that the preventative measures we have taken have greatly reduced the risk of an infection.
Who is it targeting?
Pretty much any device that is connected to the internet and running older, or unpatched versions of Windows (Windows XP, Windows 8, Server 2003 for example). In a very rare move, Microsoft even issued a patch for the 3-year end of vendor support Windows XP! In short, if an OS is unpatched, it will be targeted! It has already hit dozens of large institutions across the globe, including U.K.’s National Health Service, FedEx in the UK, the Russian Interior Ministry, China’s National Petroleum Corporation, Renault factories in France, and more.
So, what can be done?
This attack was largely preventable. Had more victims simply installed the security patches Microsoft released two months ago, this would not have spread so fast. Again, the patch to protect against this virus was released two months ago (except for those still running Windows XP, that was only released 2 days ago as an emergency release from Microsoft).
So, as long as devices have security updates applied on or after March 14th, the exploit this ransomware leverages have been addressed.
For clients under a monthly support agreement, CentraComp patches servers every month, so the patch that addresses this has already been applied. Also, over this past weekend, CentraComp checked all of the PCs that were up and available to us through GoTo Assist. However, some PCs were offline, and therefore need to be double checked ASAP.
There is still more to do!
Just to be safe, and to ensure that every PC and Laptop has been checked, we ask that each PC and Laptop user also check to ensure they have the latest updates from Microsoft applied. We have attached a document that gives detailed instructions on how to check this. We want to ensure that the “Windows Update” window shows that there are no updates available.
Note: The patch blocks the virus from spreading, but if a device is already infected, the virus can lie dormant until it decides to trigger the encryption process. So, making sure antivirus programs are up to date is vital too! Instructions on that process are at the end of the attached document.
More about the actual exploit:
"Unknown attackers deployed a virus targeting Microsoft servers running the file sharing protocol Server Message Block (SMB). Only servers that weren’t updated after March 14 with the MS17-010 patch were affected; this patch resolved an exploit known as ExternalBlue, once a closely guarded secret of the National Security Agent, which was leaked last month by ShadowBrokers, a hacker group that first revealed itself last summer. The ransomware, aptly named WannaCry, did not spread because of people clicking on bad links. The only way to prevent this attack was to have already installed the update. Through the ExternalBlue exploit, the malware installed an NSA backdoor payload called DoublePulsar, and through it went WannaCry, spreading rapidly and automatically to other computers on the same network—potentially hundreds at a time. "Whereas ransomware such as Locky normally requires user interaction, such as opening a word document, WannaCry has the capability to spread automatically," AlienVault threat engineer Chris Doman told Gizmodo. “Thankfully a weakness in the method of propagation has allowed researchers to take control of a piece of attacker infrastructure and limit new infections—it could have been a lot worse."
What if I am already infected? OR, how do I know if I am already infected?
As mentioned, this virus targets all files stored on a PC or network. If you try to open a file and get an error message like shown below, you are infected! If this happens, CentraComp recommends the following actions:
- Immediately unplug the PC from the network.
- If you are connected via Wireless connection, turn off the WiFi.
- If you are not familiar with how to do either of these, skip to step 2.
- Power off the device.
- Contact us at email@example.com.
- Leave the PC powered off until instructed otherwise. This will prevent the spread of the virus.
Information Security continues to be a top priority at CentraComp! It is important to stay current with your Carbonite subscriptions to maintain a solid backup plan and your AVG CloudCare subscriptions to maintain a secure environment. These tools work!
If you have any questions, please feel free to contact us a helpdesk @ centracomp.com.