On Friday, May 12, the Internet was struck by a massive-scale, coordinated malware attack that crippled many networks, including much of the UK’s NHS along with a number of firms across the world, especially in Spain and Russia.
We explained what happened, why it was so successful and what you need to do.
A large number of computers, many connected to each other through local networks (such as NHS computers in a particular vicinity) became infected with a type of malware known as ransomware. Ransomware has been around for some time now and over the last few years has become one of the most popular categories of malware on the Internet.
What is ransomware?
Ransomware is particularly malicious, since it encrypts all the important files on a computer or network. This can include photos, videos and text documents. However ransomware can be tailored to search for and encrypt any type of document deemed important to an individual or business. With many types of ransomware, the only way those files can be decrypted is with a decryption key.
This means even if the victim removes the ransomware infection, their important files are still left encrypted and useless.
To obtain the decryption key to unlock the files, the victim has to pay a ransom to the criminal, usually payable to the crook through an anonymous service like BitCoin. Hence the name ransomware.
If a computer is infected with ransomware, the extensions of the encrypted files (for example .jpg) are changed to something else, depending on what version of ransomware encrypted the file. Victims are usually alerted to the ransomware with a digital ransom letter. For the May 2017 attacks, that letter can be seen below –
The version of ransomware in these attacks was a relatively new strain called WannaCry. Just like many modern versions of ransomware, if victims don’t pay up within a few hours or days, the ransom goes up.
How did the ransomware spread?
In many cases, victims are tricked into install ransomware themselves, often by luring them into opening malicious email attachments.
However ransomware can also spread by exploiting vulnerabilities in software, for example Windows. This means little (or no) human intervention is needed for malware to spread.
And this is what happened in the May 2017 attacks. In fact, the crooks had used a tool created by the NSA known as EternalBlue (which had been leaked online by a “hacker collective” known as The Shadow Brokers) that was designed to capitalise on a vulnerability in many Windows operating systems that would allow malware to spread from computer to computer inside a network.
Basically, the crooks had combined ransomware with a computer worm, which is software capable of spreading between computers, that was also capable of exploiting known software vulnerabilities.
Because the NSA tool was leaked online before it was used in this attack, Microsoft had already released a security update to stop it back in March 2017. However, many computer networks had not applied the security update. Or (which is the case with the NHS computers that were infected) many computers were still using Windows XP, an old operating system that would not get the security update because it is no longer supported.
After the attacks…
After the initial weekend, reports of fresh attacks have slowed down, but more computers are still being infected, so user’s need to follow the advice in the next few paragraphs as soon as possible…
What do I need to do?
This ransomware targeted business networks, but it can affect home users too, so everyone needs to be aware of this threat.
If you have Windows Update enabled to automatically apply updates, which should be the default setting, then you should already have the latest security updates installed.
If not (or if you’re unsure) then you need to get the latest security update as soon as possible, even if you have Windows XP!. Yes, due to the seriousness of the incident, Microsoft have even released an update for XP users despite that operating system not getting any mainstream support for some time now.
Once you’re protected, remember how ransomware spreads. In this case, it was a software vulnerability, but malware traditionally spreads by tricking victims into installing it on their own computers. Don’t open attachments from unexpected emails or download files from untrusted websites, and remember to keep a separate back-up of all your important files so if you do get infected, you can retrieve your files without having to risk paying for a decryption key!