Now that the dust has settled, let’s have a brief look at what happened last week.
The papers have been full of stories of NHS Trusts’ IT systems being made inoperative by a ransomware attack which seems to have been co-ordinated on a world-wide scale. The Guardian has a good summary here.
We know why the attack was carried out, and that was in the hope of getting a lot of Bitcoin for decryption of data on the infected machines. Leaving aside who did it and whether it was carefully co-ordinated – we say perhaps, but so much depends on chance that the rapid spread was perhaps down to luck – what was different about this one?
We’ve seen ransomware before and the delivery method was no different this time; the malware has been dropped into systems as a result of some action the computer user has taken. What is new is the inclusion of an old approach to spreading malware, the worm; this is where the dropped-in malware seeks any network-attached file share, replicates itself to that share, and does its dirty work on those new hosts as well. Quite a cunning combination of an old basic virus delivery method and a much more recent approach to extracting money from the victims.
There was also an element of external control built in to the malware, and in an intriguing side story to the main event this guy seems to have found and used it to restrict propagation of the malware.
There is another summary of the attack on Sophos’ site here.
We’ve only had a few conversations with clients this week about their vulnerability to this type of attack. This silence concerns us because everyone has been, is, and remains vulnerable to these exploits. The initial dropping-in of the malware usually needs someone in an organisation to have done something to allow that to happen; the typical trigger event is a click on a link in a poisoned email but visiting a poisoned website can also kick off a malware problem.
The most effective protections from these exploits are training, awareness, and taking care. It might be disappointing that the these are social measures rather than technical products which can be bought, paid for, and trusted to do the complete job. Unfortunately, we need real people to pay attention and take responsibility for their actions online.
Having said that, all Excellimore clients have protection from one of the two anti-malware products with which we have many years’ experience. A key part of our service to all clients is regular patching and updating of their systems; we checked all our client systems after this round of attacks to make sure and all were up to date and in good order.
Remember that no technical approach to threat mitigation can be completely 100% effective, because the bad guys work quickly to try to stay one step ahead of the best countermeasures which the anti-malware vendors can release. There’s a constant race between the two and there are times when exploits are released with a time gap before protection systems can be updated and that’s why awareness and care are important.
Older systems are more exposed to this sort of incident; no Excellimore clients use Windows XP any more, and only one of our clients is using two servers still running Windows Server 2003. These systems are no longer updated or supported by Microsoft but, unusually, a security patch has been released for them. This is because the NHS and some other large organisations do use these older systems under special (and expensive!) support contracts directly with Microsoft; the vulnerability is so serious that Microsoft have made the update generally available to everyone this time round.
As ever, if you have concerns about your organisation’s awareness of these issues we’ll be pleased to have a conversation.