WannaCry Outbreak – What is Ransomware?
Panic spread across the country Friday afternoon, as news emerged that NHS Trusts across the country had been hit by a crippling cyber attack. Computers in hospitals, wards and GP receptions were crashing, before a message popped up on screen notifying the user that all their files had been encrypted, along with a countdown to pay a ransom for their return. By the evening it was becoming clear that the NHS was not the only target, as reports of infected computers sprang up across Europe and Asia.
The attack was the most high profile example to date of a type of virus or Malware that has been growing in prominence in recent years – “Ransomware”. But just what is Ransomware, and how can you prevent data losses resulting from it?
An increasing risk
There are lots of variations as to exactly how they are implemented, but they usually involve an attacker gaining access to a computer, before securely encrypting all of the files with a unique key. A message is then displayed to the user demanding a monetary ransom be paid to unlock the files. There is often a countdown involved, after which the ransom will increase, or sometimes the files will be permanently encrypted. Though the underlining concept behind this type of attack was first proposed by researchers in the 90s, it wasn’t until the rise of BitCoin, which provides a completely secure way for the attackers to receive payment, that it began to emerge as a common threat. Cruelly, the payments involved are often designed so that they are just small enough to not make it worth paying for replacement hardware.
The attack that crippled systems worldwide last week was an especially aggressive piece of Ransomware, dubbed “WannaCry”, or “WannCrypt0r 2.0”. Unlike the Mirai malware attacks of recent months, in which connected devices such as CCTV cameras were used as unwitting bots for an attack, most Ransomware relies on good old fashioned malicious email attachments to spread. Crucially, this program uses an exploit against older Windows operating systems that was first made public as part of a massive dump of NSA and CIA hacking tools on Wikileaks in April. Because of this, when opened on a computer running one of these systems, WannaCry will automatically spread to any other computer on the same local network.
Microsoft had released a patch to prevent it’s use on newer systems, however it emerged that most of the systems hit were running versions of Windows XP, which has been unsupported for years. It was widely known that many organisations still run this system, so when the hacking tools were first leaked, most security experts warned it was a case of “if”, not “when”, a large scale attack like this would happen. As a result, blame for the attack has been placed on everyone from the NSA, to Wikileaks, to the Department of Health for not updating NHS systems. The only party who haven’t been criticised so far are the attackers, as nobody knows who they are. It’s not even established yet whether this was intended as a deliberate attempt to cripple infrastructure, or just an attempt at extorting some money that got out of hand.
How can it be prevented?
Despite the catastrophic scope of the attack, the advice for avoiding it is very similar to any other Malware:
- Make sure all of your software and operating systems are updated with the latest patches. Despite it being out of support, Microsoft have even taken the unusual step of issuing a patch for Windows XP
- Take special care when opening email attachments, even if you think it’s form a trusted contact
- Make sure your antivirus software is fully up to date and enabled
- Be careful to keep a regular external, offline backup of any important documents. This is important, as if you use cloud or network attached storage then these documents are likely to get encrypted as well!
What can I do if I’ve been infected?
Unfortunately not much. Modern encryption methods mean that once affected, your files are at the mercy of the attacker. There have been instances where attackers have been caught and prosecuted and as a result keys have been made public for people to get their data back. As it stands however, it is looking very unlikely that this will happen with the WannaCry attack. Because of this, the only viable option is usually to wipe the computer and reinstall Windows. Some types of ransomware can be removed by using “System Restore” in older versions of Windows, but this does not always work, and the infection may still remain.
Ultimately, as with so many IT problems, the only surefire solution is to make sure you have secure, up to date backups of everything.