Ransomware (WCry) outbreak | KPMG | BE

Ransomware (WCry) outbreak

Ransomware (WCry) outbreak

​A ransomware outbreak, WCry, has been spreading around the globe. Even days after the attack the threat is still real. What can you do?

1000

Director, Technology Advisory

KPMG in Belgium

Contact

Related content

The threat is still real even several days after the initial WCry attack launched on Friday afternoon (12 May). Systems are still vulnerable, "mutations" of the initial virus are appearing, and organizations need to be active and raise awareness to prevent further infections.

WCry Ransomware

There has been an outbreak of ransomware WCry, also referred to as WNCry, WannaCry, WanaCrypt0r or Wana Decrypt0r, which is spreading globally. This ransomware is leading to the following:

 

  • Locks all the data on a computer system;
  • Provides instructions on what to do next, which includes a demand of ransom (typically US$300 ransom in bitcoins);
  • Demand includes paying ransom in defined period of time otherwise the demand increases, leading to complete destruction of data;
  • The encryption is carried with RSA-2048 encryption which makes decryption of data extremely difficult (next to impossible).

How is it spreading?

Like most of the ransomware attacks this is coming through email attachments. Initial assessments are showcasing that once infected, the ransomware spreads through a remote code execution vulnerability in Microsoft Windows computers: MS17-010.

The vulnerability MS17-010 is also known as ETERNALBLUE, for which a patch is available.

Immediate measures

The following immediate measures should be taken:

 

  • Advise users to handle emails from unknown sources with care and to not click on links or to download email attachments sent from unknown sources which seem suspicious;
  • Patch Windows machines (MS17-010) or isolate systems that cannot be patched to make sure there is no exposure to the threat at hand;
  • Update anti-virus software with the signatures related to the attack
  • Monitor your network, systems, media and logs using the IOCs (Indicators Of Compromise) related to this attack.

Prevention & Response of future attacks

As for other cyber threats and incidents, the "people, process, technology" approach is a very important aspect in preventing this from happening at your organisation and responding to this if it should happen. The following should be considered:

 

  • Raise user awareness to (further) educate employees in light with the increased threats;
  • Maintain up-to-date backups of files, regularly verify that the backups can be restored, and make sure that backups are safeguarded from the attack;
  • Develop a cyber response organizational structure including a response plan for different types of incidents to prepare your organisation for the inevitable;
  • Implement further technical protection measures against ransomware threats (e.g. sandboxing and behavioural analysis of unknown executables), next to traditional protection (e.g. anti-virus) to reduce the amount of undetectable malicious software.

 

Should you need any additional information or require assistance with the above, please reach out to KPMG, our team of cyber experts is ready to help.

Connect with us

 

Request for proposal

 

Submit