What a few weeks? WannaCry bringing the majority of the NHS in England to a stand still. America’s security agencies being blamed for the tools used by the attackers and to throw some extra mystery into the mix commentators throwing North Korea and Russia into the mix. We at Morph don’t know who is to blame but what we can do is help you understand what happened and how you can help prevent your school being a victim of this sort of attack. One of the largest airliners coming to a stand still because of a “power failure”.
Lets take a closer look at the WannaCry issue:
Firstly lets cover the terms/names being thrown around the web shall we… in no particular order:
- WannaCry – Ransomware Cryptoworm. The nasty little bit of software that pulls together a selection of other software that caused this massive issue.
- Kill Switch – A line of code that if certain cryteria are met can terminate the software before any major damage is done.
- Ransomeware – Software that holds important data hostage from the victim. Normally asking for some form of payment to have the files released.
- Cryptoworm – Software that “locks” your data on your computer with a secret key that would either takes years to decrypt making it very difficult to get back.
- BitCoin – (the chosen ransom currency) a digital currency that is not controlled by a single nation/body this makes tracing to the end user even more difficult.
- Hacker – People who find weaknesses in computer software and use it to potentially exploit other people or organisations. This can also be broken down into two other main groups (to keep it simple)
- White Hat Hackers (Ethical Hackers)
- Black Hat Hackers – People who aim to exploit most weaknesses they find.
- EternalBlue – This is an exploit believed to be used by the US National Security Agency (NAS).
- WikiLeaks – A website dedicated to releasing secret/classified information that it believes should be in the public domain.
- SMB – Server Message Block a component used within the Microsoft Operating Systems that was exploited by EternalBlue.
- Security Patch – Term used by Microsoft when they update parts of the Operating System and consider it to be security.
- The Shadow Brokers – an organisation that brought the issue to light.
- DoublePulsar – Software used to install and execute WannaCry.
- Network Worm – WannaCry is able to use a transport element within itself to scan a network (Wired or Wireless) for computers that aren’t patched to protect against EternalBlue. This allows WannaCry to repeat and spread throughout unprotected/patched networks.
So how did this all happen?
It seems that click bait would be the best place to look for how this started. In simple term sender X pretends to be someone you know or a services provider you might use i.e. iTunes, your Bank or something along those lines. They ask you to take a look at an account detail or in case of your “friend” it might be “check out this funny video” by following a link and as simple as that the hacker uses the tools above to infiltrate your computer.
In a a large organisation such as the NHS its a good bet that if one computer isn’t patched that the rest of them aren’t. Large organisations have patching polices that would cover the organisation as a whole. So if your desktop wasn’t patched you could assume that all the other desktop PC’s weren’t. (This is in simple terms)
On the other hand the NHS is broken into different trusts that have different IT departments so some of them were patching while others weren’t. The main issue being why aren’t security patches being applied?
Why not just pay?
The common consensus about paying these sort of things is you wont actually get your files back and you are more than likely put on a list of people who pay – leaving you open to attack again.
How can we protect ourselves?
Ensuring you you have a good security patching policy in place is key. A strong anti-virus and malware solution in place that can offer real-time scanning. A ban on personal email access and an extremely strict web filtering policy might help. But in a school sometimes filtering to heavily gets in the ways of teaching and resource preparation.
As a school you can have a combined approach of both the ICT policy and staff and pupil awareness.
- USB sticks could be restricted.
- Access to external emails other than schools own provider can be locked down.
Explaining to users the dangers of going to websites that you don’t trust/know even if they have made it past the schools filtering.
Regular backups to ensure you have your core data backed up just incase a scenario like this occurs. Why loose all of your data when you could potentially lose a couple of hours of data.