Find a Partner
Last Friday, May 13, news broke of an ongoing, global ransomware attack against more than 230,000 Windows computers in 150 countries, notably disrupting services at the National Health Service (NHS) in the UK. The WannaCry ransomware (known as WannaCry, WannaCrypt, WannaCryptOr) encrypts files in the PCs it infects, effectively locking up the machine and making it unusable. Cybercriminals demand a ransom be paid in Bitcoin exchange for decryption. The attack has been described by Europol as “unprecedented” in scale.
Like other ransomware, the WannaCry malware initially spread via phishing emails and downloadable executables from malicious sites. However, unlike previous attacks, this ransomware is designed to aggressively rampage through both local networks and the internet using a worming behavior that makes use of the EternalBlue exploit allegedly developed by the U.S. National Security Agency (NSA) and leaked online by cybercriminal syndicate The Shadow Brokers. This causes the malware to spread like a worm through a network with unpatched Microsoft Windows machines.
WannaCry is not a zero day event. Microsoft issued a critical patch on March 14, 2017, yet many IT organizations have not updated their vulnerable systems. Organizations running old and unsupported operating systems are especially at risk. The MS07-010 vulnerability affects virtually all versions of the Windows operating system, including unsupported versions such as Windows XP, Windows Vista and Windows Server 2003.
The attack has been described by Europol as “unprecedented” in scale.
The scope of the attack is so large due in part to the largenumber of vulnerable Windows PCs. And because the WannaCry ransomware can spread without user intervention, it is especially virulent. Once the malware makes it into the local network, it doesn’t require any further human intervention to locate and exploit vulnerable machines. The unique combination of aggressive worming behavior with data-encrypting ransomware make this outbreak destructive on an unprecedented scale.
The WannaCry attack began on May 12, 2017. Researchers believe the initial infection may have been loosed either through compromised network defenses or a spear phishing attack. The malware first encrypts the infected computer’s data, then tries to spread to other networked computers––both on the local network and the internet at large. WannaCry demands a Bitcoin payment of several hundred dollars to decrypt the infected computer. So far, reports of infections range in the hundreds of thousands, but the estimated haul by the cybercriminals behind the ransomware is less than $100,000 USD.
Untangle has integrated its cloud threat intelligence, ScoutIQ, into its NG Firewall solution. ScoutIQ identifies new and emerging attacks seen in the wild and acts as a second layer of protection to Virus Blocker, NG Firewall’s antivirus application, and Web Filter, NG Firewall’s URL categorization and anti-malware distribution solution. All customers with a subscription to NG Firewall Complete are protected.
“ScoutIQ has identified and blocked over 20,000 instances of WannaCry out in the wild,” said Timur Kovalev, chief technology officer at Untangle. “We’ve seen attack attempts across both emails and malware distribution sites.”
Customers using Virus Blocker Lite do not have the benefit of ScoutIQ, and are reliant on community-contributed antivirus signatures. Customers using Web Monitor will have visibility to attempts to contact malware distribution sites, but will not be able to block those attempts. We suggest that all customers consider upgrading to the Complete package to ensure timely, ongoing protection not only from future variants of this ransomware, but from all malware.
It’s an IT best practice to keep operating systems patched and up-to-date. However, that can be challenging in many organizations. Here are some tips for keeping your organization safe.
Patch all Windows machines. If this isn’t possible, disable the Server Message Block service.
Back up all data to offline hard drives locally, and to a trusted cloud service or data center remotely. WannaCry will attack any networked drives.
In addition to using Untangle NG Firewall at the gateway, be sure to run antivirus software on every endpoint device (PC, laptop, tablet, phone). This will prevent non-networked attack vectors (like inserting an infected USB drive into a laptop).
Untangle is an innovator in cybersecurity designed specifically for the below-enterprise market, safeguarding businesses, home offices, nonprofits, schools and governmental organizations. Untangle’s integrated suite of software and appliances provides enterprise-grade capabilities and consumer-oriented simplicity to organizations with limited IT resources. Untangle’s award-winning network security solutions are trusted by over 40,000 customers around the world. Untangle is headquartered in San Jose, California. For more information, visit www.untangle.com.
For sales information, please contact us by phone in the US at +1 (866) 233-2296 or via e-mail at [email protected]
Copyright © 2019 Untangle
1 (866) 233-2296