Over the weekend, the world has seen the largest cyber attack of its kind spread across more than 70 countries. The UK NHS was an early victim as hospitals systems were encrypted reportedly causing shutdowns and delays in medical procedures. As the infection spread, numerous other organisations around the world also fell victim to the attack. We have not escaped unscathed with reports of some businesses being affected.
The nature of the attack itself is not new. Ransomware spread by emails with malicious links or attachments has been increasing in recent years. This ransomware attack followed a relatively typical formula:
Typically these types of attacks do not involve the theft of information, but rather focus on generating cash by preventing critical business operations until the ransom is paid, or the system is rebuilt from unaffected backups.
Bitcoin is a form of digital currency and it is known for its anonymity. Access to digital currency may be a challenge for many people as there are limited suppliers of Bitcoin and some banks have been closing the accounts of digital currency providers.
The weekend attack involving ransomware known as ‘WCry’, also referred to as WNCry, WannaCry, WanaCrypt0r or Wana Decrypt0r, spread rapidly, exploiting a weakness in unpatched versions of Microsoft Windows.
Like most of the ransomware attacks this attack came through attachments on email and initial assessments are showcasing that once infected the ransomware spreads through a remote code execution vulnerability in Microsoft Windows computers: MS17-010.
The vulnerability MS17-010 is also known as ETERNALBLUE, for which a patch is available for newer versions of the operating system. Considering the impact of the malware Microsoft has also released patches for older operating systems including Windows XP and 2003.
News reports indicated that some respite was provided with the registration of the Domain name that the Ransomware code required it to check before further spreading the infection (referred to in the media as a “kill switch”). Registration of the domain was initially reported to have stopped the spread of the attack. The respite was however short-lived, when a day later new reports indicated that updated versions without the kill switch were up and running.
As we arrive at our desks to start the working week, we need to act fast. Organisations need to ensure staff are made aware of the risk, reiterating additional precautionary measures, whilst simultaneously ensuring that IT systems are protected including:
These attacks happen quickly and unexpectedly. You also need to act swiftly to close any vulnerabilities in your systems.
KPMG’s Technical and Architecture team can assist clients and provide scanning of client’s environments to identify systems that are exposed to the vulnerability. KPMG’s Cyber Forensic team can assist clients with investigating, managing and recovering from incidents.