Hi All; Tom and Adam here.
We have been having a quick catch up this morning between ourselves and with some other leading security figures within the industry and have a quick update on the Ransomeware that has affected many companies over the weekend, most notably, including the NHS.
We personally saw a lot of point scoring in the news about this over the weekend, but not a lot of coverage on what the potential exploit was and how we could fix it if our companies were open to it.
Luckily, there is a quick solution!
Before we go into the technical details we want to ensure you have the knowledge to resolve the issue because it's simple. Simply make sure all your windows machines have the latest updates installed and all your 3rd party antivirus software is up to date! If you are unsure how to resolve this issue, please don't hesitate to get in contact with us.
That's the fix, but what is Ransomeware?
Simply put, "Ransomeware" is a small computer program that locks users out of their devices and encrypts their data.
Great! The worst has happened. What can I do?
Being brutally honest, there isn't a lot. A file or virtual machine based backup solution would go some way to helping you recover, not only your data but, your full IT systems in the event of the worst happening.
The Tech stuff:
The ransomware attack, called Wana Decrypt0r 2.0, locks users out of their devices and data, encrypting all data and demanding a ransom for the decryption key via the Tor Network. This malware is allegedly utilising the ‘EternalBlue’ exploit discovered by the NSA which has recently been leaked by a group of hackers known as ‘The Shadow Brokers’. This malware appears to take advantage of the SMB (Server Message Block) protocol which is utilised heavily within the Microsoft operating system with an exploit to gain remote system access. The malware isn’t currently known to be distributed via email, however this is a very likely candidate for further exposure and spread of the malware. With this in mind, please apply extreme caution when opening any email attachments.
The application requires the older version 1 of the SMB protocol for the exploit to work however this is still present in all windows versions. A patch was released for Windows 2008r2 and above (Windows 2012,2012r2 and 2016) in March and will have been applied to your server if you have automatic updates enabled. However, Windows 2008 and windows 2003/2003r2 operating systems are vulnerable to this attack. The Operating system is ‘out of life’ and operating predecessors have already had patched that deny the vulnerability. Good news! Microsoft has jumped in and released a patch specific for those operating systems that could be potentially affected.
In short, if you are unsure about anything, please ask! This can bring massive organisations like the NHS to their knees. Don't chance it destroying your businesses data!
