It will never happen to me! I'm sure everyone has said this in the past but recent events show it can happen to any business big or small and they don't care who they target.
Friday at 8am (GMT) saw one of the biggest cyber attacks ever seen on the NHS and many other large businesses around the world at one time at the rate of around 1000 per minute implanting ransomware which in essence sees the users PC's and servers locked down until you make payments to release them.
Computer generated representation of areas covered by this attack as of 6.04pm Eastern time 12/05/17
What is WannaCrypt? WannaCrypt is a Ransomware variant that was used in the attack that took place over the weekend. You might also hear it referred to as WannaCrypt, WanaCrypt0r. WCRY. These are all the same thing.
What is Ransomware? Ransomware is a virus that encrypts your files so you cannot access them, until you pay a ransom (in this case $300 in bitcoins)
Impact and Scope
The WannaCry ransomeware encrypts all local and shared files that users can access; it also removes the shadowcopies to make data recover more difficult
This attack was able to automatically spread across networks without users interventions.
There is no current known weakness in the encryption used by the ransomware.
We are advising customers to remain on a high state of readiness as we expect 'copycat' attacks to take place over the coming days.
All major anti-virus vendors have updated their signature database to include this version of the WannaCry ransomware. Ensure you have updated these systems to pick up any previously compromised clients.
Ensure all Windows clients have the Microsoft security update MS17-010. This vulnerability affects all Windows XP - Windows 10 and Windows Server 2000 - Windows Server 2016. - Microsoft has released patches for XP and Server 2003 outside of the normal support windows. Make sure you deploy these if you do have legacy operating systems.
Look for running processes or files across the network to ensure there is no remaining compromised clients.
Block access to the SMB port (445) between external networks. - if you need to allow access ensure this is restricted to the single requesting IP only.
If you are recovering machines with data that has not been backed up we recommend taking a image of the data in the case this can not be recovered
The simplest fix is to make sure you have deployed all Windows patches on all server and desktop Machines. Microsoft released the patch for this exploit back in March for supported operating systems. If your still running Windows XP or 2000, Microsoft have released an emergency patch for these over the weekend.
Need further support or a consultation into your current IT structure get in touch here