13 May, 2017

Cyphra have issued the following information to help any organisations concerned about the current global ransomware attack that has impacted the NHS in England and Scotland.

IS MY BUSINESS AT RISK?

  • This attack is affecting organisations across multiple sectors nationally and internationally, so ALL businesses should take steps to ensure that they are addressing this threat.

WHAT HAPPENS?

  • The attack uses a known Microsoft vulnerability (MS17-010) to infect vulnerable systems and then can spread across other vulnerable devices within the internal network to which the infected device is connected.
  • The malware is known as WanaCrypt0r 2.0 (previously versions were known as WCry and WannaCry).
  • Infected systems are encrypted and a ransom payment is then demanded in Bitcoins. The reported values are $300 per infected machine.

HOW CAN I PROTECT MY BUSINESS?

  • Ensure that all Microsoft systems are fully patched but in particular focus on patch MS17-010. Additionally, special patches have been produced for Windows 2003 and Windows XP. (http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598)
  • Block access to protocols such as RDP and SMB on all internet facing computers.
  • Disable outdated protocols on your internal network if possible including SMBv1.
  • Isolate unsupported systems if possible.
  • Ensure that key information is fully backed up.
  • Put a plan in place on how you will deal with an incident if it occurs.


HOW DO I DETECT AN INCIDENT?

  • If a device has been encrypted a screen will display a message requesting a ransom is paid in bitcoins.
  • It is strongly advised that you do not pay the ransom!
  • If you suspect a machine to be infected then remove it from the network immediately to prevent further infection.
  • Check firewall logs for outbound connections to dist.torproject.org
  • Intrusion detection rules can be used to detect this activity.
  • Technical staff can review more detailed information at the following link Talos Intelligence.


WHAT ELSE CAN I DO?

  • Report any incident to NCSC or in Northern Ireland you can contact the PSNI Cybercrime team.
  • Join the Cyber information Sharing Partnership (www.cisp.org.uk) to get access to industry and NCSC information.
  • Cyphra customers requiring any advice or support should contact your normal incident response line. If you are not a Cyphra customer send an email to info@cyphra.com and we will get back to you as soon as possible.