May 13

Ransomware May 2017

Posted by EricW on Saturday 13th May 2017

Your risk right now (Saturday 13th May)

If you didn’t get a ransomware demand yesterday, you’re not going to get infected BY THIS VERSION OF MALWARE. That doesn’t mean:

  • You’re never going to get ransomware
  • You don’t need to update your PC
  • You don’t need good AV/Malware software
  • You don’t need backups, because Dropbox
  • You don’t need to worry about security, because Mac

It means that there is a short time window to fix any problems you have with your company cybersecurity because this threat is coming back.

Short version of what’s happened:

Various alphabet soup National Security Agencies – no-one knows how many – discovered bugs in Windows that could be exploited to access computers. So, rather than tell Microsoft about them, they kept quiet. For years.

Someone decided this was bad and leaked those exploits on the internet. Microsoft rushed out patches for the bugs. Two months ago.

Everyone was supposed to update their computers at that point. Not everybody did. It's hard to update thousands of computers in a short time.

On Friday 12th, a group of people released a set of programs via spam emails which:

1. Look for computers on the same network with data accessible for encryption

2. Encrypt user files on the infected machine

3. Starts up a connection to the Tor network

4. Deletes any shadow copies of data on the infected machine

5. AFTER encryption has completed, display a ransom screen (see above)

What should I do?

1. Don’t open documents from unknown senders. Don’t enable features on such documents. Don’t take sweeties from strangers.

2. If you have Windows XP, Windows 2003, Windows Vista or Windows 8 machines on your network, replace them as soon as possible.

3. Make sure your Windows PCs are fully patched. Control Panel – Windows Update:

4. Make sure you have a mechanism for promptly applying patches in future.

5. Run effective anti-malware software on your computers and make sure it updates regularly.

6. Make sure you have usable backups isolated from your computers. Make sure the backups run regularly. Test that you can restore data from your backup regularly

7. Make sure your network is securely configured.

All I understood there was “don’t take sweeties from strangers”.

OK.

If you have a support contract with us, you should be fine, but get in touch if you need more specific reassurance.

If you haven’t got a support contract and are worried, get in touch and we’ll help you assess your problems.

We can automate your update process so you need do nothing but the odd reboot

We can provide excellent anti-malware software

We can sort out an off-site backup over the internet, check it runs, fix it or nag you if it doesn’t, and help you with test restores

We can look at your current network and suggest changes to make it more secure.

What about my website?

Square Daisy have been posting about this - essentially:

We backup the websites we host every night, so we can recover your data from anything like this (and we check the backups ran)

Most of the websites we host are on Linux rather than Windows, so not vulnerable on this occasion.

Professionally hosted Windows websites will be on servers which have been patched and firewalled to protect them from this vulnerability.

If you're hosting your own windows server, in your office, on an XP box under the desk, well.. you have things to do, I'll not keep you.



Thanks to:

Iain Thomson @ TheRegister
@MalwareTechBlog
Cisco’s Talos team

And good luck to anyone cleaning this up.