15 May 2017:
I’m sure you will have heard or read about the ‘Massive Cyberattack’ that hit the world news late on Friday, but just in case you haven’t, here are some things you need to know.
Summary of what happens:
- This malware is the type that blocks access to your files (by encrypting them), then ransoms them and you are forced to pay for their release;
- The attack currently seems to come through emails; these messages are typically fake invoices, job offers and other lures which are sent to random email addresses. Within the email is an attached file, which once clicked, initiates and starts the infection;
- Once in your network it can spread from machine to machine through a vulnerability in the network file sharing protocol;
- It encrypts all files it can see, and presents you with the ransom banner;
- There are already at least 2 variants of this malware, with slightly different means of spreading and attacking. I expect there will be more coming as copycats try and get on-board with this new attack.
- We know that ESET (the virus scanner Caduceus uses / sells), released a detection signature for this specific malware on Friday night (NZ time). Many other virus scanners will have released updates by now as well, so please make sure your virus scanner is up to date.
- For those of you who purchase Managed Virus Scanning from Caduceus, we have already started checking our reports to identify machines that haven’t updated and will be making contact with users to assist in getting these PC’s patched.
- The network file sharing vulnerability was patched by Microsoft on March 14th, 2017 (Microsoft Security Bulletin MS17-010 – Critical). This patch will help prevent the spread of the malware within your network, but it doesn’t stop a machine from getting infected and encrypting all mapped drives including those visible on servers. As always we encourage you to apply all outstanding Windows updates and please contact us if you require assistance.
Q: “Are we at risk?”
A: Yes. But no more than you were on Thursday or earlier in the week or month. There are many other malware / viruses that infect in a similar manner. The biggest risk comes from users opening emails, opening attachments and clicking links on emails containing a link to the malware.
Providing the necessary support to users to educate them in the mindful handling of emails is in my opinion the best (and cheapest) form of defence to most of these attacks.
Caduceus can assist with staff training in this area if you require.
Also if you have doubts about any email you can forward it to email@example.com and we will investigate and comment.
Q: “If we suspect infection what should we do?”
A: With these types if malware, speed and decisive actions can really help mitigate the impact of an infection.
Key indicators that you have become infected is that a) a file you could open previously you suddenly can’t see or can’t open, b) your PC may start running very slowly.
Certainly if you encounter the first indicator, the first step should be to isolate the infected PC as quickly as possible. This can limit the infection and save many many hours (even days) of recovery effort. Your actions may extend as far as quickly shutting off all PC’s on the network – especially until the infected PC can be located and isolated.
Calling Caduceus for assistance would be our next recommended action. We can assist in identifying if you do have an infection, locating the machine and starting recovery efforts.
Q: “How do we recover from an infection?”
A: There are currently no known ways to reverse the encryption of files aside from paying the ransom or restoring from backup.
Depending on how many files get encrypted and the backup mechanism you use, it can take several days to complete a restore from your last successful backup.
For further information, here are a few reference articles:
The website https://intel.malwaretech.com/ provides a global summary of detected Malware attacks.
I’m sure there will be more reports and information that comes to hand on Monday.
If you would like to discuss any of the above please contact Caduceus Support (firstname.lastname@example.org)