Following Friday’s global cyber attack causing the shutdown of many IT infrastructure and computer systems worldwide, the National Cyber Security Centre – NCSC – have published guidance on how to protect IT systems from the WannaCry ransomware.
150 countries have been attacked with the WannaCry ransomware since Friday affecting some 200,000 computers.
The virus took control of users’ files and demanded $300 (£230) payments to restore access. The demand doubles to $600 if not paid within three days after which time, according to the hackers, files are deleted.
The latest investigations and analysis performed to date shows that the malware encrypts files, provides the user with a prompt which includes a ransom demand, a countdown timer and bitcoin wallet to pay the ransom into.
The malware uses the vulnerability MS17-010 to propagate through a network using the SMBv1 protocol. This enables the malware to infect additional devices connected to the same network.
Advice for Home Users
Home users and small businesses can take the following steps to protect themselves:
- Run Windows Update
- Make sure your antivirus product is up to date and run a scan – if you don’t have one then install one of the free trial versions from a reputable vendor
- If you have not done so before, this is a good time to think about backing important data up – you can’t be held to ransom if you’ve got the data somewhere else. We recommend that you don’t store backups on the same computer, or any other device within your home network. Home users should consider using cloud services to back up their important files. Many service providers (for example, email providers) offer a small amount of cloud storage space for free
The NCSC advise the following steps be performed in order to contain the propagation of this malware:
- Deploy patch MS17-010:
- A new patch has been made available for legacy platforms, and is available here:
- If it is not possible to apply this patch, disable SMBv1. There is guidance here:
- and/or block SMBv1 ports on network devices [UDP 137, 138 and TCP 139, 445]
If these steps are not possible, propagation can be prevented by shutting down vulnerable systems.
Work done in the security research community has prevented a number of potential compromises. To benefit:
- Ensure that your systems can resolve and connect on TCP 80 to the domains below.
Unlike most malware infections, your IT department should not block these domains. Note that the malware is not proxy aware so a local DNS record may be required. This does not need to point to the internet, but can resolve to *any* accessible server which will accept connections on TCP 80.
Antivirus vendors are increasingly becoming able to detect and remediate this malware, therefore updating antivirus products will provide additional protection (though this will not recover any data that has already been encrypted).
How to Report a Security Incident
The NCSC defines a cyber security incident as:
- A breach of a system’s security policy in order to affect its integrity or availability
- The unauthorised access or attempted access to a system
How to report a security incident if you become a victim of a cyber attack