Ransomware Alert: New Strain in the Wild

Friends of Compass,

There is a rash of ransomware attacks being reported that has affected as many as 74 countries. One of the largest reported sectors is hospitals within the United Kingdom, with at least 16 hospitals affected. Many hospitals report being disabled and unable to perform regular functions (phones shut down, pen and paper notes only, and patients asked not to come to the emergency rooms). Other areas affected include a telecom company in Spain, and some FedEx computers as well. This attack does not seem to be targeted to any specific industry or company.

Ransomware is computer malware that installs on a victim's system and runs a program that holds the victim's data hostage and sends a message of extortion to the user until a ransom is paid. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, and display a message requesting payment to unlock it. More advanced malware encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.

Early investigation leads security staff to believe that this is a variant of ransomware called Wanna Decryptor (also called WannaCry), a relatively recent addition to ransomware. There is a theory that this strain is being spread through a vulnerability in the Microsoft Secure Message Block (SMB) service, which was patched with Microsoft Security Bulletin MS17-010 back in March. A screenshot of the ransomware is below:

Currently, the malware is easily removable from the systems, but removing the malware does not decrypt the files. As of this writing, the only way to decrypt the files is pay the ransom, or restore files from a clean backup.

Compass recommends taking the following steps to protects systems and files from ransomware:

• Keep systems fully patched with critical updates. Make sure that in this case, the MS17-010 patch is applied.
• Make sure good, clean backups exist for data in case you need to restore files.
• If you see a message like the one above, do not do anything else except disconnect your system and report it to IT immediately.
• Keep your security (malware and endpoint protection) up to date and running on all systems.
• Train staff to never click on links or files from unknown sources.

 What to do if compromised:

• Contact Law Enforcement
• Isolate the systems and networks to avoid the spread of the malware.
• Restore data from clean systems.
• Conduct an assessment of all systems to confirm they are clean after the incident is over.

Compass can provide the following services to assist with the prevention of ransomware:

• Security Awareness Training - Train your staff and refresh this training annually. Don't do it because it is a compliance requirement, do it because you want to build a culture of security in your organization. People are your weakest link so empower and equip them to question suspicious emails and phone calls they receive.
• Social Engineering Assessments - Test your employees. Send them phishing emails and see how many click on the links that are suspect and see how many times they click on the links. We do these all the time for clients and you would be shocked at how many people click on the links.
• IT and Security Risk Assessments – Ensure you are using best practices to secure, monitor, and protect your network, data, and staff from accidents and malicious compromises. 

If you have any questions on this or any other IT Security topics, please don't hesitate to contact us. Also, don't forget about our upcoming webinar that is focused on the latest threats in Social Engineering. Be safe and secure and register below!

Compass IT Compliance
www.compassitc.com