The what, why and how of the WannaCry ransomware attack

What happened?

It appears that the initial attack relied on a phishing email, but unlike most ransomware emails which only affect one PC at a time (as each user opens a targeted email), this attack unusually included a worm, which exploited an unpatched Microsoft vulnerability allowing it to immediately infect any unpatched computer on the same IT network.

Why did it happen?

Every month Microsoft releases security patches for its software products, and the patch released on March 14th included and fixed the vulnerability before it became a real problem. However, the fix only works if users apply the patch in a timely manner. So, generally speaking, if organisations had patched their IT systems, they would not have been exposed to this particular ransomware attack. It is worth noting that most personal users are safe if they have Microsoft’s automatic updates enabled.

The only other cause behind this attack was where users’ systems were using out-of-date versions of Windows (for example Vista and XP). In response to this particular attack, Microsoft has taken the unprecedented step of patching their no-longer supported operating systems.

How can you protect your business?

New variants of the malware have already been made, and we may not have seen the worst of it. Therefore, it is important to ensure your business is protected against ransomware attacks and at the same time is prepared to deal with any potential or detected ransomware attack that may infect your systems.

Checklist for ransomware protection

1. Upgrade all obsolete/unsupported systems and ensure all systems have the latest security updates applied. Any end-users using old versions are vulnerable to the many other exploits that are out there. These users should consider upgrading to either Windows 7 SP1 , Windows 8.1 or Windows 10.
2. Ensure a mechanism is in place to patch your organisation’s systems as soon as any updates are released. Hackers know that they only have the limited time between the release of a patch (which also creates awareness of a new vulnerability) and its application to create and distribute something to take advantage of the vulnerability. So clearly, the longer you take to patch your systems, the more vulnerable you are to attack.
3. Check data backups or system snapshots to ensure they are very recent and disconnected/air gapped from your network once complete. Ensure back-ups are stored offline and off site. Business continuity / recovery plans should be tried and tested to verify the ease with which systems may be restored.
4. Ensure email is passed through effective content filters and that all users are made aware not to blindly trust email messages, and to refrain from clicking links and opening attachments that look suspicious. Click here for more guidance on How to Spot a Phishing Scam.
5. Regularly review user access permissions to data and restrict them to the absolute minimum needed.
6. Implement two-factor authentication, especially for access to all remote access and online services.

What to do if you detect ransomware

1. Disconnect the network cable from the back of all computers and wireless routers, firewalls and switches and immediately power each device down. Do not power down your website or database servers unless you have a strong suspicion they are affected. Ensure that all remote access is disabled.
2. Mark the systems you are certain are affected and take immediate steps to try to ascertain the method by which your systems became infected. For example, who was the user of the first computer (desktop/laptop/server) to notice and/or report the infection? And is receipt of a particular email a likely source?
3. Consider the best approach to manage staff awareness and availability along with the need to initiate your business continuity plan.
4. Check your backups (including snapshots) ensuring that any restoration would not inadvertently restore the ransomware.
5. Do not pay the ransom or in any way initiate communications with the criminals.

QBE’s cyber insurance policies cover the types of cyber scenarios described here and provide a broad service, from forensics to establish the extent of what is happening, to restoration of IT systems, public relations costs, business interruption and if needs be, reimbursement for any ransoms paid. This brochure tells you more about our offering, and please contact your broker for a quote.