Information on recent ransomware attacks

In light of the recent ransomware attacks that are beginning to have global repercussions and could potentially impact our departmental labs and students in ISE, we’re providing a brief explainer on the problem and what you can do to keep yourself safe. The initial bulletin went out in an email to the HFES student chapter in May 2017, and we thought we would let it live here in perpetuity.

Most recent updates on specific ransomware strains are at the top, with older entries in descending chronological order.


June 2017
It seems another ransomware attack (nicknamed NotPetya) is just beginning to spread throughout Europe and, because it’s right in the middle of the business day here in the US, threatens to more seriously affect American machines as well.

​Because I’m sending this email early in the interest of providing quick information to the group, I’m not completely satisfied with the certainty of exploit method or attack vector for this strain of ransomware. However, it seems to be exploiting the same method of attack that WannaCry (the last attack I sent an update for), for which Microsoft issued a series of patches in March and April. Those with these March and April patches installed should be safe.

Please check to see whether your system is completely up to date. If not, patch immediately. If you do, you should continue to remain vigilant, particularly if receiving emails from unknown senders. Remember, patching is not a guarantee of safety, particularly because malware can be reconfigured to bypass specific countermeasures. You must still be safe online (see the May post, below this) and be careful with what you’re doing.

For those interested in additional recommendations for keeping yourself safe, see the post below for tips. In particular, never open unexpected emails from unknown senders (especially if they ask you to look at an attached document) and patch everything early and often.

For those interested in learning about NotPetya’s vector and infection strategy, please see this brief from PaloAlto Networks.

 


May 2017
What happened?

In mid-May 2017, more than 181,000 computers in nearly a hundred countries (as of 1:30pm on Saturday, May 13) were hit by a fast-moving ransomware attack, crippling digital networks used by transportation, banking, shipping, and healthcare organizations in Europe and Russia; the UK’s National Health Service was hit particularly hard, as were a number of big organizations in Spain and Russia. These attacks spread malware from machine to machine, encrypting critical files that renders the machine unusable until a ransom is paid. If the ransom is not paid in time, the encryption key is deleted by the attacker and the files are effectively rendered “lost.”

How did it spread?
This strain of ransomware, nicknamed “WannaCry,” “WannaCrypt0r,” and “WCry.” exploited a vulnerability present in a Windows operating system filesharing protocol called SMB. Critically, users didn’t have to open an infected email or file on the computer for it to take hold; rather, it could just spread from machine to machine (without user interaction) by using that vulnerable network communication method.

Who is vulnerable?
Anyone running an Internet-connected Windows computer, from Win8 all the way down to WinXP. Windows 10 users were never at risk, nor were users of Mac or Linux operating systems.

How can you protect yourself?

Keep your software updated. Microsoft issued a patch for this vulnerability in March for the affected operating systems, so those who regularly install software updates were protected. Under absolutely no circumstances should you ever disable or refuse to install updates for any computer or smartphone. That goes for all devices you use: Mac, Windows, Linux, Android phones, iOS phones, smart TVs, routers, everything. Update all the things, patch early, and patch often.

Back up your critical files on a regular basis, and store those backups on something like a USB drive or an external hard drive. Those drives should remain disconnected unless you’re actively making a backup. Ransomware works by encrypting every file system that it can find attached to the affected machine, so if you back up your files but leave the drive attached it’ll just encrypt that as well. Your backups are then useless.

More generally, exercise extreme caution opening emails from people you don’t know, and be even more cautious enabling macros on things like Word or Excel documents — leave them in “protected mode” unless you absolutely must edit them. Though WCry didn’t use it, most ransomware attacks rely on unsuspecting users allowing software to run on their computers. Ransomware is often embedded in malicious documents that look harmless.

What should you know going forward?
Ransomware is here to stay for the foreseeable future; this is certainly not the last time we’re going to hear about it. Follow the steps above to get started protecting yourself.

There’s quite a bit to this story and the threat that malware poses. To learn more about it, as well as more specific tips for information security and what you can do to stay safe, please email Adam Houser at adamhous@buffalo.edu.