Worldwide "WannaCry" attack - still no sigh of relief possible

In the "WannaCry" attack last Friday, May 12, 2017, the disguised ransomware exploited a vulnerability in Microsoft's Windows operating system that allowed it to automatically infect new computers. This "security hole" in the operating system had once been saved by the US intelligence agency NSA for its surveillance, but a few months ago unknown hackers had made it public, according to a report by the German press agency DPA.

Computers around the world were affected by the attack. They were attacked by so-called extortion Trojans, which encrypt them and demand a ransom. Microsoft had closed the corresponding security hole in March - but only those computers on which the update was installed were protected.

Switzerland spared so far

200,000 victims, 150 countries, against 50,000 euros ransom (the victims to settle via Bitcoins)- the numbers seem impressive. Impressive because the first wave of attacks was stopped relatively quickly by chance. But unfortunately it is still too early to breathe a sigh of relief, firstly because the true extent will only gradually become known and secondly because the attacks can be restarted without much effort. Read more here.

According to the findings of official agencies such as the Reporting and Analysis Centre for Information Assurance (MELANI), only a small amount of ransom money has flowed so far, and in Switzerland not a single ruble. So for once Switzerland has been spared. However, the fact that apparently none of the affected parties have had their data returned, even though they paid the ransom, raises questions about the intentions of the "WannaCry" programmers.

Apparently, the senders do not have the means to decrypt the data encrypted by the ransomware. Although some victims have already transferred the extorted Bitcoins. Read more about this in the analysis of the security researchers here.

Experts suspect there will be more attacks. The number of attack vectors on sensitive facilities is too large, so the attackers will not simply stop. According to the findings of the security company Check Point, four clearly distinguishable methods were used:

1.) With the WannaCryptor, companies are attacked via direct infection through servers.

2.) Emails are interspersed with malicious links.

3.) Emails also contain malicious PDF attachments or ZIP files, which also contain malicious files.

4.) In addition, brute force attacks have been registered against RDP servers, which also spread the ransomware if successful.

(More info under this Link)

Operational countermeasures

What happened in Spanish and English hospitals in particular brings back memories of spring 2016, when the Locky encryption Trojan wreaked havoc in Germany in particular and led to similar exceptional situations. This time, however, the malware spreads like a virus and spreads from one computer across the entire network to other computers.

Organizations and their IT departments should now scan their IT systems, block potentially dangerous email attachments, and attempt to filter out the malicious code. Even better is the use of special security technologies to filter malicious code from email attachments before employees can open them.

Solutions for detecting infected websites also ensure that links in emails are blocked. Solutions are also already available that detect and stop ransomware on the endpoint as a last resort and automatically restore files that have already been encrypted. Here a clip of how it works:

If such solutions are in use, then organisations are protected against attacks with WannaCry & Co. However, employees also need to be trained to recognise suspicious attachments and report them to the appropriate authorities such as MELANI.

The Swiss reporting and analysis centre MELANI recommends that companies adapt their security measures against "WannaCry & Co." - see the following current Link for concrete procedures (formulated in English only for the time being).