By now you have certainly heard about the WannaCry ransomware attack. Nearly every news site is reporting the attack and providing ongoing updates. This attack, which started on Friday, May 12, quickly spread to become the largest worldwide cyberextortion scheme in history. To date, the attack has hit over 300,000 computers in at least 150 countries. High-profile organizations across numerous industries have been impacted including the UK National Health Service, FedEx, the Russian Central Bank, Telefonica, Deustche Bahn, Hitachi, and Renault, to name just a few. The impacted organizations were at risk of being locked out of their systems and losing sensitive data.
How did WannaCry infect users?
It appears that WannaCry is using an implementation of the infamous EternalBlue exploit developed by the U.S. National Security Agency and leaked by the Shadow Brokers hacker group last month. EternalBlue exploits a vulnerability (CVE-2017-0144) in Microsoft’s implementation of the Server Message Block (SMB) protocol. The exploit installs the DoublePulsar backdoor, which is leveraged to infect computers running Windows.
Once it infects computers, WannaCry encrypts files and locks users out. It then demands payment of $300 via Bitcoin, an untraceable digital currency, to unlock the files. It also threatens that if the ransom is not paid within 72 hours the ransom price could double, and after a few additional days the files will be permanently locked.
Microsoft issued a Windows security patch MS17-1-010 to resolve the SMB protocol vulnerability. WannaCry hit organizations that did not install this critical patch. Without this patch, users only needed to accidentally open a weaponized attachment or click a link to a malicious website to infect their computers.
There may not be a killswitch next time
The WannaCry attack is now winding down but there is still much to worry about. Most likely there will be additional ransomware waves, worse than WannaCry, initiated by attackers encouraged by WannaCry’s success. WannaCry contained a special killswitch that enabled a fast-thinking researcher the UK, known as malwareTech, to slow the attack. It’s not clear why the attackers included the killswitch – perhaps they were afraid that the attack might get out of control. However, future attacks may be even more sophisticated and are likely not to include a kill switch, thereby enabling them to spread faster and farther.
Now is the time to prepare for the next attack wave. Today most enterprises rely on backups, security patches, firewalls, and web gateways to protect their data, but these security methods are not fullproof. Attackers continue to up their game, making traditional approaches ineffective.
Fireglass provides 100% protection from ransomware
As highlighted by Gartner report It’s Time to Isolate Your Users from the Internet Cesspool with Remote Browsing, isolation is one of the single most significant ways enterprises can eliminate web threats.
Unlike traditional security solutions, Fireglass assumes that any web and email traffic is potentially malicious. Our Fireglass True IsolationTM platform executes and renders all web sessions in a secure remote environment, sending to users' browser only a safe visual stream. Thereby, Fireglass prevents any malware from ever reaching user endpoints and provides 100% protection from all ransomware, phishing attacks, and malicious websites.
You can read more about the dangers of ransomware on our blog posts that discuss how ransomware avoids detection and the devastating impact ransomware can have on enterprises relying on sensitive customer data, such as healthcare providers.