Security Bulletin - Ransomware [WannaCry]
19th May 2017
As you will have likely seen on the news the last week, many countries have fallen victim to a computer virus known as Ransomware – with this particular strain named as “WannaCry”.
We want to reach out to you on the subject of this ever increasing computer threat. It’s been around for a few years now and you may have already have heard of it, but in essence it’s a form of computer virus which has become very popular.
Like all viruses it has different modes of transport, however it’s most common method is via email or website download. Also like many viruses, it can be very convincing to the end user and therefore innocently opened. Once opened the virus starts encrypting all files it has access to bar the actual Windows operating system, it usually completes this task within 5 – 60 minutes.
Towards the end of its encrypting procedure, it often displays a message on the screen, informing the user that all their files have been encrypted and the only way to receive the decryption key, is to follow a link to the Bitcoin website and part with money. Hence the name Ransomware.
The unfortunate reality is that there is no way to remove the encryption placed upon the files. The only two options the victim has is to either pay the ransom (which often fails anyway) or recover the data from a backup.
Needless to say it’s a very powerful virus and one that won’t be disappearing from the IT world any time soon due to its effectiveness at extorting money. A quick Google reveals its success on both small and high profile victims including NHS trusts and national telephony companies.
Fortunately, here at Host My Office we have some general safe guards in place which help to protect your customers from Ransomware and viruses in general. These include our ProofPoint/McAfee email filtering service, our SonicWALL firewalls and MalwareBytes/McAfee antivirus software on your customer servers. Many of these vendors have had the anti-dote to “WannaCry” for some time, such as SonicWALL which released a patch to our firewall appliances back in April. In addition to our security vendors protection, we ensure all of our customer Remote Desktop Servers (RDS) run weekly Microsoft Windows Updates, which in the case of WannaCry, plugs the known Microsoft vulnerability rendering the virus useless (see here for more details). (Please note that if you have any of your own servers hosted with us, we do not run Windows Updates on these unless you have specifically requested us to, therefore you must!).
That said we can never guarantee (neither can anyone!) that such a virus won’t slip through and be opened. And here comes the reason we wanted to send you this email, to make your customers prepared for if they were to contract a Ransomware virus.
Last year, Host My Office put in place a new system to further help protect our customers for when they may contract Ransomware. We have built upon our standard nightly backup, so that we now backup all your customer servers every hour - purely for Ransomware recovery. This means that should they contract Ransomware, we can recover their server to the closest hour prior to Ransomware executing (opposed to what previously would have been the previous nights backup). For example, if they have a Ransomware incident occur at 4PM on Tuesday afternoon, the alarm is raised at 4:30PM when staff notice they cannot open files, we are able to restore their affected server to a backup taken at 3PM. This means they have only ~1 hour of lost data opposed to the whole day.
There are obviously still challenges to be faced even when utilising the hourly back-up, namely the time it takes to discover the virus (on average an hour before the alarm is raised) and the down time during the server restoration as all users are required to sign out. So to help minimise the risk of attack, we're recommending users follow the below advice:
Abide to the common sense rule of never open attachments from senders you do not recognise.
• Always hover over a link in an email to verify actual URL, before clicking the link.
• Raise the alarm as soon as you identify that files are not opening correctly or have an unusual file extension.
• Raise the alarm if you notice a text file in every folder with instructions on how to pay the Bitcoin ransom.
Feel free circulate these symptoms and advisory bullets to your customers.
We hope the above is informative and gives you some peace of mind with the current news headlines. That said Ransomware is a very real threat at the moment and we want to ensure your customers are well versed in what our present protection and recovery methods are, should they be subjected to it.
If you have any questions or would like any further discussion, please feel free to contact us via the usual support channels.
The Host My Office Team.