'WannaCry': update systems warn Africa's security specialists
'WannaCry': update systems warn Africa's security specialists
The global ransomware attack 'WannaCry', described by cyber security experts as the biggest recorded of its kind and which affected global networks over the weekend, has triggered warnings for African business owners and organisations to be vigilant and update their systems.
The attack is reported to have started last week Friday, 12 May 2017, and is said to exploit a vulnerability in outdated versions of Microsoft Windows.
According to africatechnet.blogspot, several organisations and businesses worldwide have fallen victim to the threat including the UK's National Health Service (NHS), Telefonica (Spain) and Russia's interior ministry & Megafon (Russia).
While commonly referred to as 'WannaCry', according to a blog post by cybersecurity company Fortinet the ransomware goes by a host of other names including WCry, WannaCry, WanaCrypt0r, WannaCrypt, or Wana Decryptor.
Fortinet says the ransomware is spread through an alleged NSA exploit called ETERNALBLUE, which exploits a vulnerability in the Microsoft Server Message Block 1.0 (SMBv1) protocol, that was leaked online last month by the hacker group known as The Shadow Brokers.
"Microsoft released a critical patch for this vulnerability in March in Microsoft Security Bulletin MS17-010. That same month, Fortinet released an IPS signature to detect and block this vulnerability. And we released new AV signatures today to also detect and stop this attack," states Fortinet.
"The security of our customers' systems is of paramount importance to Fortinet. In recent weeks, we released several updates to help block this attack and we are actively monitoring the situation to respond to any new malicious behaviour. In addition, we are reaching out to our customers, strongly recommending that they update their systems," the security firm adds.
Eset South Africa said according to Europol, over 200,000 victims have been hit in more than 150 countries making this "the largest ransomware attack observed in history".
"The malware encrypts data on a computer within seconds and then displays a message asking the user to pay a ransom of about R4,000, which is lower than other ransomware we have seen – but the true cost will be all the time, lost files, and other collateral damage caused by this attack,"
"The files touched by the attack are encrypted and the attacker is the only source for the key to reverse that – this can have dire consequences, especially in the healthcare sector. Encrypted patient records, doctor's files and other items may not be able to be usable or accessible unless there is a good backup to restore from. So far the culprits are unknown – but it is unlikely that it was one person," stated Eset South Africa.
IT security firms recommend security updates on machines, in addition to implementing anti-malware software.
"For businesses, patches can be very difficult to get deployed across the entire network - this one you will want to install. It has been available since mid-April and actually stops the exploit from gaining a foothold in your environment," according to Eset South Africa.
Fortinet also advises that users back up data regularly, schedule anti-virus and anti-malware programs to automatically conduct regular scans, and disable macro scripts in files transmitted via email.
"If your organisation has been affected by ransomware, here are some things to do: Isolate infected devices immediately by removing them from the network as soon as possible to prevent ransomware from spreading to the network or shared drives; If your network has been infected, immediately disconnect all connected devices. Power-off affected devices that have not been completely corrupted. This may provide time to clean and recover data, contain damage, and prevent conditions from worsening. Backed up data should be stored offline. When an infection is detected, take backup systems offline as well and scan backups to ensure they are free of malware. Contact law enforcement immediately to report any ransomware events and request assistance," Fortinet adds.