Expert FAQ: What you need to know about WannaCry

May 18, 2017  
Last week, cybercrime took itself to another level of horror when more than 100 organizations around the world were attacked by WannaCry, a particularly virulent strain of ransomware—a type of malware (i.e., a virus) that silently and stealthily encrypts a person’s data (e.g., MS Office files, PDF files, music/video/photo files, etc.). It then sends a message claiming that once a sum of money is paid, a decryption key will be provided. 

Sounds nasty, doesn’t it? It truly is and our endpoint management experts have been hard at work helping to bring more awareness around what to do and how to respond to this latest ransomware attack.  

Compiled FAQ style our experts give you the good, the bad and the ugly of what you need to know about WannaCry, how Autotask Endpoint Management can help and what to do if your data gets the dreaded encryption message. 

Q: What’s so special about WannaCry over other ransomware viruses, and how did it get that big so quickly?

A: Most ransomware infects its targets by the use of “phishing” emails, which trick the user into clicking a link to install it. It’s very effective, but infections are typically limited to just that device. WannaCry is different, because it also has worm-like capabilities. A “worm” is a type of malware that can spread across a network by replicating itself onto other devices, usually exploiting security vulnerabilities in the Operating System or applications. This is the reason we have “patches” and “updates”, to secure against those vulnerabilities. WannaCry uses a leaked NSA-borne exploit for v1 of a protocol called SMB (Server Message Block), called EternalBlue, to spread itself across corporate networks very quickly, encrypting the files on every vulnerable Windows device it finds and demanding payment to release the decryption keys.

Q: Which machines are more vulnerable and which are safe?

A: Windows Operating Systems from 8.0 and up for desktops, and Server 2012 and later for servers, do not have the EternalBlue vulnerability in their implementation of SMB v1 and are impervious to the spread of WannaCry. Those released previously (Windows 7 and lower for desktops and Server 2008 and lower for servers) are potentially vulnerable. Note that we are talking about vulnerability to the SPREAD of WannaCry, not the actual execution. A Windows 10 device is just as vulnerable to WannaCry as a Windows XP device is when the virus is executed directly; it is for this reason that we recommend employing a robust antivirus solution with regularly updated virus signatures together with regular Windows updates as a staple of your security strategy.

Q: What can be done to stop it spreading?

A: Microsoft released a patch to address the potential vulnerability for supported Operating systems (Windows 7 SP1 and up for desktops, Server 2008 and later for servers) in a March 2017 patch release alongside a few other high-priority fixes and tweaks. As long as your security patching is up to date, you are covered.

Microsoft has also released patches specifically for this vulnerability for XP and 2003 operating systems. It is strongly recommended that the SMB v1 protocol be disabled on devices that have any form of network connectivity. SMB v1 has long since been supplanted by SMB versions 2 and 3; the functionality can be removed with a simple registry tweak. Please do note that Windows Server 2003 only supports SMB v1.

Q: How can you leverage Autotask Endpoint Management to patch and then protect your clients’ estates?

A: Autotask Endpoint Management has comprehensive Patch Management capabilities, which permits very granular control and management with regard to patching your clients’ estates. A patch management strategy incorporating a number of Patch Management type Policies is an excellent and robust solution to the problem of centrally managed patching. Simply set up your Policies targeting the appropriate endpoints in scope with automated approval for Category type of Security Updates and Critical Updates (and Definition Updates if you’re using Microsoft’s Defender anti-virus solution). We advise you to ensure your estates are up to date with their patching and to immediately patch any that are not and to reboot the endpoints after the patching process rather than deferring it. The Autotask Endpoint Mangement online help site has excellent Patch Management type Policy documentation.

In response to the WannaCry threat, we published a specific Component to the ComStore called WannaCry Protection Windows Updates. The current version, suffixed with a “v2,” gives explicit options to control the reboot of the endpoint, and also to disable SMBv1 altogether. 

Q: What should you do if you’ve been hit and your data has all been encrypted? 

A: If you have a robust backup strategy that utilizes “version control,” you can simply revert back to previous, unencrypted copies of your data. Autotask Endpoint Backup is an automated backup solution that has this feature. Unfortunately, there is little respite for those lacking a version-controlled backup solution. It is strongly recommended not to pay the ransom.

An on-demand webinar outlining the current situation and how to address WannaCry with Autotask Endpoint Management is available here.

Follow @Autotask Tweets