SMEs are being urged to update their operating systems and review their data back-up policies, with warnings an unprecedented ransomware attack affecting tens of thousands of organisations around the world could hurt Australian businesses this week.
The malware, known as WannaCry or WannaCrypt, first reared its head on Friday afternoon, and The Guardian reports it quickly spread across the UK and Europe.
The ransomware is spread through an exploit that was discovered by the US National Security Agency that was exposed earlier this year, and can affect all unpatched versions of the Windows operating system older than Windows 10.
When a device is infected, the software encrypts all files on the computer, stopping users from being able to open them. The malware then demands a payment of US$300 ($406) in digital currency Bitcoin to unlock the files, threatening to double the required payment every three days if the ransom goes unpaid, before threatening to destroy the files a week later.
While many common ransomware attacks are spread via malicious emails or phishing attacks, the WannaCry attack was able to spread so quickly because the infection used an exploit within the Windows system itself.
Cyber security expert and Microsoft regional director Troy Hunt tells SmartCompany this morning the vulnerability exists within computers’ Server Message Block (SMB) protocol.
This is a function that allows computers to share files and communicate over the internet. By infecting one computer and exploiting the protocol, the ransomware was then able to spread exponentially within organisations where computers are highly connected, like the UK’S National Health Service, which was disrupted over the weekend.
“The SMB protocol essentially allows you to run remote commands on another machine, so all the hackers needed was one computer with this exploit to get in,” Hunt says.
Hunt speculates the ransomware could have originated from a phishing email, saying most organisation computers are behind firewalls, which would prevent any external hacking attempts.
“That could have been the ingress point, and once it’s there it can knock on the door of every computer it can find, and then it becomes a self-propagating worm,” he says.
Businesses should update systems immediately
When the NSA uncovered the exploit earlier this year, Microsoft was able to prepare patches, which disabled the exploit.
Hunt says these patches were released in March and believes it’s “beyond comprehension” why organisations such as the NHS had not updated their systems.
“This malware is targeting a vulnerability patched two months ago, so for businesses keeping their systems updated, this is a non-event,” he says.
“It’s amazing we’re seeing this problem at all, organisations have had a two month lead time to patch this exploit.”
While a number of the exploits have occurred on 16-year-old operating system Windows XP, Hunt warns this attack can be executed on any Windows system that is not the latest version, Windows 10. Since the attack, Microsoft has directly released a number of patches for older versions of Windows, which address the exploit.
Though Australian businesses were blessed in the sense the attack was launched after-business hours and on the weekend our time, Hunt believes there’s no reason why Australian businesses wouldn’t be affected by the still-spreading virus and says updating your system is absolutely critical.
Cyber Security Minister Dan Tehan told The ABC there had been three confirmed cases of Australian businesses being affected by the WannaCry attack.
“What we are seeing is the exact same features that have occurred overseas: a freezing of their IT systems and a ransomware note,” he told the ABC.
“At this stage, it does seem like that we have missed the major impact of this ransomware incident.”
Regular backups can help defend against ransomware
Hunt also recommends businesses employ a strict back-up policy to minimise the impact of attacks like this one.
“The whole idea of ransomware is for it to get its hands on every file it can find and encrypt it, so if you can just wipe your machine and restore from a backup, then it’s not an issue,” he says.
“It’s not fun, but there’s a big difference between some downtime and a loss of work.”
Although businesses may believe they have secure backups, Hunt advises SME owners to check the frequency and reliability of these, and suggests businesses do a test run to ensure things run smoothly.
“Think of the last time you tried to restore from those backups, and do you have a copy in another location?” he says.
“For businesses it’s best to have things backup to the cloud, as it makes a really big difference if you get ransomware like this.”