The WannaCry ransomware outbreak started just before 9am on Friday, the 12th of May 2017. By the end of the day, it reached over 150 countries, infected over 200,000 computers and affected organisations such as the NHS, Telefónica, Renault and the Russian Ministry of Interior.
For the NHS, the effect was immediate – patients turned away from surgeries, emergency cases diverted and procedures cancelled.
This was the largest ransomware attack in internet history and could have been far worse, were it not for a British security researcher who found the ‘kill-switch’ and registered the domain needed to stop the spread.
WannaCry propagated so rapidly because it used the "EternalBlue" exploit in Microsoft SMB (Server Message Block). Most ransomware infections we see are the result of an individual phishing attack, but the use of this exploit allowed greater reach, both within corporate networks and across the internet.
EternalBlue is believed to have been developed by the NSA and was leaked by hacking group, The Shadow Brokers, in April this year. Microsoft released a security update which resolved the issue but organisations that were not up-to-date with their patching or were using operating systems beyond end-of-life (such as Windows XP or Server 2003) were vulnerable.
From the server room to the Boardroom
In the last two weeks, we have seen "ransomware" move from the domain of IT and security professionals to the Boardroom, the newsroom and Parliament.
WannaCry may have brought ransomware into the public consciousness, but it is important to put it into perspective. In fact, in the week following the outbreak, we at Databarracks carried out more restores of data for other strains of ransomware than for WannaCry.
The advice to protect against WannaCry was, and is simple: "keep up to date with security patching". Thankfully, none of our legal customers were affected. It is however vital that firms are protected from the wide-range of other types of ransomware too.
Even with the most up-to-date anti-spam and detection products, it is impossible to protect against targeted phishing attacks. Our recommendation is therefore to not only improve defences, but also plan your response to infection.
The basic advice to "patch" and "backup" has been featured on rolling 24 hours news channels and in the tabloids. We would certainly endorse those recommendations, but recovering from a major cyber incident is demanding and stressful and there are some fundamental strategies that can be employed to make that process easier.
We have created The Ransomware Recovery Guide, which details how to devise an incident response plan and provides guidance on how to specifically design your backup and disaster recovery strategy to limit downtime and minimise data loss. You can download the guide here.