The media is in a tizzy about the latest ransomware to hit a high profile target, in this case the UKs NHS. The Verge has one example of the coverage. With such a high profile event, CLASSE-IT is getting asked about the situation and what to do.
Threat
This is a mix of traditional Ransomware and an old school “worm”. The problem is two fold. First, like all ransomware, the malware encrypts files it has access to. It then demands payment to decrypt the files. The new twist seems to be the “old school” attack that turns it into a “worm”. It takes advantage of a second Windows vulnerability to encrypt files the end user otherwise would not have access to. It also attempts to take over other Windows computers to repeat the attack.
CLASSE Response
You’ll notice several important points about the attack.
- First, for ransomware to succeed it requires that you have no backups of your files (you DO store your files on Samba, right?) – otherwise you just ask for a restore.
- Second, it requires another Windows computer to attack, it cannot directly attack Samba.
- So your files are safe there unless it is your own account which has been compromised – just as with all ransomware. CLASSE user directories are backed up.
- Third, notice the “old school” stuff up there in the threat description? You have to be running an unpatched Windows computer, or an out of support one like Windows XP. CLASSE is pushing the latest version of the Windows 7 patch tonight (Monday, May 15).
- CLASSE also disables macros by default in Microsoft Office, which is the initial email to computer infection vector seen in this attack. You might consider turning them off on non CLASSE managed PCs if you don’t use them.
- Finally, the “worm” requires direct access to the files. Direct access to CLASSE files is not possible from off-site: you can’t get to samba from the internet, and you can’t get to your CLASSE PC without going through a firewall.
Conclusion
Ransomware is a big issue, but this one isn’t any worse than many we’ve seen before. The big take away is to patch and backup your files, keeping the backups “Off Line” where they cannot be accessed by malware. CLASSE backups are recorded to tape where they can’t be damaged. Please feel free to open a service ticket or come talk to us if you have additional questions.
For your personal computer at home, you may want to check with your “computer help” person if you have one to make sure the computer is patched and that its backups are kept somewhere else.