Headlines over the past day or so have been dominated by the news that a strain of ransomware has been tearing around the globe infecting more than 120,000 computers.
NHS facilities and services have been hit particularly hard, but so have the likes of telecoms giant Telefonica, banks Santander and BBVA, plus companies and individuals in Russia, Japan and several other countries.
Called WannaCry, but also known as WanaCrypt0r and WCry, the ransomware is infecting computers and encrypting files, before demanding the user pay a ransom for their files to be decrypted.
WannaCry leverages a Windows vulnerability, which Microsoft released a patch for, known as MS17-010, in March. However, many organisations appear to have failed to install this patch, or are running old versions of Windows to which this doesn’t apply.
On Friday night, though, an unnamed cybersecurity researcher and Darien Huss, from security firm Proofpoint, found a way to stop the malicious software spreading.
“I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time,” the nameless knight in shining armour told The Guardian.
He bought the domain for just $10.69 and noticed straight away it was registering thousands of connections every second. Basically, the malware has been making requests to that particular domain name and once these requests came back showing the domain was live, a “kill switch” was activated, stopping the malware from spreading.
We’re not out of the woods yet though, it seems. “This is not over. The attackers will realise how we stopped it, they’ll change the code and then they’ll start again,” said the unlikely hero.
Protecting your business
So just what can you do to protect your business from this malware, and other pieces of malicious software that are doing the rounds?
Tom Gaffney, security advisor at cybersecurity firm F-Secure, said: “Organisations should make sure they have a properly configured firewall and have the latest Windows security updates installed, in particular MS17-010, to prevent spreading.”
He went on to say that, as a general rule of thumb, companies should always use a “robust” security solution, keep software up to date and limit the use of browser plugins.
“Don’t let let your guard down with firewall hygiene – configurations from 2000 could have prevented this. Make sure to take regular back-ups, so that you can get up and running again quickly if you are attacked. And don’t open email attachments from someone you don’t know,” Gaffney added.
A spokesperson from cybersecurity solutions provider Bitdefender, said companies should disable the ‘Server Message Block’ service on their computer if patching is impossible, then install the patch, update their software and make sure they have all Windows updates on their machine. Firms should then backup their data on offline hard drives. The spokesperson stressed the ransomware malware can encrypt files on external drives such as a USB thumb drive, as well as any network or cloud file stores.
A Symantec blog post urged people to be extremely wary of any Microsoft Office email attachment that advises them to enable macros to view its content.
“Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email,” it explained.
Those already infected by the malware are advised to not pay the ransom, as there is no guarantee the cybercriminals will adhere to their side of the bargain and could just demand further payment once an initial transfer has been made. Cybersecurity firms are looking for solutions, but unfortunately it could be the case that encrypted files cannot be retrieved. This whole shenanigans is essentially a stark reminder of the importance of maintaining good cybersecurity practices.