Today May 12, there has been a massive denial of service attack that began with the NHS system in the UK which affected dozens of hospitals, and spread to six continents affecting an estimated 75,000 machines!
According to gizmodo.com “Unknown attackers deployed a virus targeting Microsoft servers running the file sharing protocol Server Message Block (SMB). Only servers that weren’t updated after March 14 with the MS17-010 patch were affected; this patch resolved an exploit known as ExternalBlue, once a closely guarded secret of the National Security Agent, which was leaked last month by ShadowBrokers, a hacker group that first revealed itself last summer.
The ransomware, aptly named WannaCry, did not spread because of people clicking on bad links. The only way to prevent this attack was to have already installed the update.”
Attached is a screen shot shown on Kaspersky Lab's blog on WannaCry. The ransom started at $300worth of bitcoin, but has since been raised according to the Kaspersky post.
The scope of this attack is unprecedented and underscores the need to keep current with security patches. While this attack may not have come from clicking on bad links, as a reminder, many of these attacks start from a link or attachment inside an email. Do not click on links or open attachments in emails that you are not expecting. It is also recommended that you reboot your computer on a regular basis to complete any security patches that may be waiting to complete.
It also underscore the need to have a recovery plan. Recovering from Ransomware attacks may be possible if backups have been taken. and you have a point in time copy prior to the attack. Scott Sinclair of Enterprise Strategy Group recommends the use of (some vendor's) Object storage in a recent report: Object storage helps with ransomware protection.
Scott notes that some object storage systems like Hitachi’s HCP, supports a feature called object versioning. Object storage systems are designed for write once, read many (WORM). With object versioning, any change or update to the object is written as a new version of the object, while the previous version is retained as well. When malware encrypts the data to prevent it use, it is written as a new version and the original object is not changed. In other block or file systems the original data is locked up with encryption and not available until a ransom is paid.
With HCP the storage admin simply sends out a command to roll affected objects back to their previous versions. This restoration is much faster, simpler and less costly than restoring data from a backup copy, if one is available and if it is current.
In the case of these systems that are affected, if they do not have such an object storage in place or the recovery from backups is too costly, they might just have to pay the ransom.