I Cry, You Cry, We all Cry

Over the past few days, we — like most of the internet — have become aware of media reports about WannaCry/WCRY ransomware, an unprecedented surge in ransomware infections affecting many organisations and individual users globally. A number of customers have contacted us today to seek clarity around how this ransomware may affect their business.

At Real World, we value clear, transparent communication about issues and updates that might affect our customers and their business. We ask that you please consider this email in full, as it contains important information to protect your company, your staff, and your customers in light of these recent developments.

The ransomware consists of two main parts: 1) a virus which infects a computer via an email attachment or download and 2) a malware which causes the infected computer to infect other computers on the network. Once a computer is infected, the ransomware encrypts all the data on the computer system and requests a payment to unlock the “decryption key”.

Microsoft has released a patch to stop the spread of the malware from machine to machine once you are infected. Computers that automatically install Windows Updates will have already been updated to stop the spread of the malware component.

Even with the updates installed, it may still be possible for a computer to be infected and have its data encrypted. While up-to-date anti-virus software will detect the current variations of the malware, new strains of the ransomware may avoid detection until anti-virus vendors have an opportunity to update their detection software.

It’s very important that customers continue to be diligent with their email, and do not open malicious attachments. Late last year we published this article that talks about how to spot a malicious email. If you haven’t read it recently, now is a great time to revisit our advice to help protect your data.

It’s also true that sometimes Windows Updates fail to install on a computer system, even when they are correctly configured and enabled. As a result, Real World has pushed the updated patch from Microsoft to all managed customer machines, regardless of whether this has been previously installed or not.

What is the issue?

Prior to this most ransomware in Australia was distributed by (i) spam, (ii) on the web using exploit kits or (iii) by RDP brute force. The latest outbreak of WannaCry would initially get into an organisation using a phishing email, and then spread through an organisation in a worm-like way using a vulnerability in Windows (recently disclosed Microsoft vulnerability (MS17–010 — “EternalBlue”) associated with the Shadow Brokers tools release). This significantly amplified the damage caused by the ransomware.

What do you need to do?

We encourage all of our customers to take this opportunity to review the settings of their systems to ensure that they have adequately protected themselves. The starting point is to ensure that you have, Windows Update enabled, you have current anti-virus and anti-malware software installed, and you have a data backup plan in place If you are unsure about any of these items, please contact our helpdesk team who can assist you with all of these items. While there are many good anti-virus and anti-malware solutions, Real World recommends BitDefender or Trend Micro anti-virus software. Real World provides off-site backup services using Veeam Backup and Recovery, coupled with Veeam Cloud Connect.

Additional Information:

We will continue to update this section as more information and variants come to light.

A fact sheet: https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

Deep technical analysis: https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58

Details from Microsoft about the malware, and links to the Windows XP, 2003 and Windows 8 patches: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Information on new variants detected so far: https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e

What an infected machine looks like: http://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/05/RANSOM_WANA_A1.jpg

The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattacks: https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.0000zgxap0n8hfhcwx02geq9bfbyz

A summary of the ransomware’s exploitations from Wired: https://www.wired.com/2017/05/ransomware-meltdown-experts-warned

If you have any questions on how to protect your organisation against Ransomware, please contact us on: 1300 798 718.