Security experts will tell you that one of the best ways to protect yourself from a malware infection or security breach is to keep your software up-to-date. Running outdated versions that cybercriminals can compromise is simply a bad idea. So, why would anyone put off installing a Windows update that Microsoft considered critical, like the one that fixed a vulnerability exploited by the WannaCry ransomware?
Sometimes it’s because system administrators fear that some part of the update process could go awry and lead to service interruptions. Even when things do go as planned, there can still be unwanted complications. That’s the reality five Australian hospitals are dealing with this week.
In the wake of the WannaCry outbreak, Queensland Health moved quickly to ensure that the proper protections were put in place. In addition to Windows, Citrix and clinical workflow software from Cerner was also patched. While the updates “protected the integrity of [hospital] systems and data,” they have also made it difficult for some staff to access medical record systems.
Just two months passed from Wikileaks’ revelation of the EternalBlue exploit to when WannaCry began spreading. That isn’t a lot of time to test and update every piece of computer equipment that needs to be patched, especially in an incredibly complex environment like a hospital. There’s far more to worry about than just desktop computers or laptops. Windows computers are also embedded into medical imaging and diagnostic equipment, and some were vulnerable to the attack.
When fixes need to be applied in a hurry, there’s always a chance that there will be side effects. Still, patching against WannaCry and any future copycat malware was important enough for Queensland Health to take the risk.
In the past, this could’ve been a tough sell. In 2017, however, the “if it ain’t broke, don’t fix it” mentality can’t be applied to computer systems. Advice from the United States Computer Emergency Readiness Team (US-CERT) is very clear: “Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.”
Yes, Queensland Health is coping with some issues accessing their systems. Trouble logging in or accessing records is, however, a huge step up from having an entire network ransomed, servers full of critical data lost, and surgical procedures interrupted.
The malware spread quickly on Friday, with medical staff in the UK reportedly seeing computers go down “one by one”.
NHS staff shared screenshots of the WannaCry program, which demanded a payment of $300 (£230) in virtual currency Bitcoin to unlock the files for each computer.
Throughout the day other, mainly European countries, reported infections.
Some reports said Russia had seen more infections than any other single country. Domestic banks, the interior and health ministries, the state-owned Russian railway firm and the second largest mobile phone network were all reported to have been hit.
Russia’s interior ministry said 1,000 of its computers had been infected but the virus was swiftly dealt with and no sensitive data was compromised.
In Spain, a number of large firms – including telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural – were also hit, with reports that staff at the firms were told to turn off their computers.
Coincidentally, finance ministers from the Group of Seven wealthiest countries have been meeting in Italy to discuss the threat of cyber-attacks on the global financial system.
They are expected to release a statement later in which they pledge greater co-operation in the fight against cyber-crime, including spotting potential vulnerabilities and assessing security measures.
How does the malware work and who is behind it?
The infections seem to be deployed via a worm – a program that spreads by itself between computers.
Most other malicious programs rely on humans to spread by tricking them into clicking on an attachment harbouring the attack code.
By contrast, once WannaCry is inside an organisation it will hunt down vulnerable machines and infect them too.
Some experts say the attack may have been built to exploit a weakness in Microsoft systems that had been identified by the NSA and given the name EternalBlue.
The NSA tools were stolen by a group of hackers known as The Shadow Brokers, who made it freely available in April, saying it was a “protest” about US President Donald Trump.
At the time, some cyber-security experts said some of the malware was real, but old.
A patch for the vulnerability was released by Microsoft in March, which would have automatically protected those computers with Windows Update enabled.
Microsoft said on Friday it would roll out the update to users of older operating systems “that no longer receive mainstream support”, such Windows XP (which the NHS still largely uses), Windows 8 and Windows Server 2003.
The number of infections seems to be slowing after a “kill switch” appears to have been accidentally triggered by a UK-based cyber-security researcher tweeting as @MalwareTechBlog.
He was quoted as saying he noticed the web address the virus was searching for had not been registered – and when he registered it, the virus appeared to stop spreading.
But he warned this was a temporary fix, and urged computers users to “patch your systems ASAP”.
Why do companies still use Windows XP? By Chris Foxx, technology reporter
Many jobs can be done using software everyone can buy, but some businesses need programs that perform very specific jobs – so they build their own.
For example. a broadcaster might need specialist software to track all the satellite feeds coming into the newsroom, and a hospital might need custom-built tools to analyse X-ray images.
Developing niche but useful software like this can be very expensive – the programming, testing, maintenance and continued development all adds up.
Then along comes a new version of Windows, and the software isn’t compatible. Companies then face the cost of upgrading computers and operating system licenses, as well as the cost of rebuilding their software from scratch.
So, some choose to keep running the old version of Windows instead. For some companies, that is not a huge risk. In a hospital, the stakes are higher.
This new ransomware known as Popcorn Time will decrypt your files if you forward the link to the ransomware to your contacts and two or more of them pay the ransom of two bitcoins, which cost more than $700 each.
To prevent being a victim of ransomware, it is imperative that you have the essential layers in place to protect your computers and data. The essentials are a working backup solution of all of your critical data from all PCs (laptops, desktops and servers), top of the line Anti-virus software running on all PCs, a good and properly configured firewall, good SPAM and Email security software, and general awareness of users (don’t click on links that look suspicious).
For more information, read:
AUTHOR: LILY HAY NEWMAN. LILY HAY NEWMAN
DEVIOUS RANSOMWARE FREES YOU IF YOU INFECT TWO OTHER PEOPLE
A PARTICULARLY NASTY malware that holds your data hostage until you pay up—just got more pernicious with a version that lets you sell out your friends instead of handing over your cash.
The diabolical software Popcorn Time, which is not at all affiliated with the Popcorn Time piracy app, shakes victims down like any other ransomware. If you can’t afford the one bitcoin payout or you’re feeling especially spiteful, you can share a link to download Popcorn Time in an attempt to infect others. If two of your victims pay up, the attackers give you the key to decrypt your data. It’s a bit like the movie It Follows, but for malware instead of killing.
MalwareHunter, a hacker with the MalwareHunterTeam research group, recently discovered Popcorn Time. It resembles any other malware in terms of infecting a computer, encrypting its drive, and locking you out. The social aspect is what makes it novel. It’s like sharing a referral code for cheap takeout or a free Uber ride. “The model for getting it off your system is sort of a pyramid scheme, multi-level marketing style approach,” says Kevin Butler, a cybersecurity and malware propagation researcher at the University of Florida. “It could certainly make for some interesting discussions amongst one’s group of friends if you’re trying to figure out who infected you with this malware.”
Hackers regularly get creative with ransomware, offering things like support desks where victims can negotiate their ransom. Popcorn Time goes further by tapping into eat-or-be-eaten instincts. It’s fascinating in its psychological gamesmanship, and indicative of experimentation in an already disruptive field. “The bad guys are making a lot of money and they’re going to make a lot more money. A certain percentage of those funds are going to go into research and development for them to try new things,” says Jeremiah Grossman, chief of security strategy at cybersecurity defense firm SentinelOne. “The bad guys are innovating.”
There’s some good news, though. First, the Popcorn Time code doesn’t appear to be finished. “It is still not perfect, but it’s getting better,” MalwareHunter says. “Infect more to get free key is already unique thing. This system is something you not see every day.”
It also remains to be seen how wide Popcorn Time spreads. “No one really knows if the mechanism is going to have any meaningful impact,” Grossman says. “You infect someone and you try to get them to infect other people. That’s a human-to-human process. Does it really scale versus all other ways, like mass-blast email? Does this process really work economically?”
Still, ransomware tends to cluster in families and strains that share similar attributes. Even if Popcorn Time isn’t a viral hit, hackers could study its successes and failures to make their own variations more effective. Your best bet? Avoid getting hit in the first place. Regardless of whether Popcorn Time spreads like a virus, there’s no reason to be patient zero.
Innovativ IT is currently helping many small to medium sized businesses in Houston design, deploy and maintain their computer networks while building in regulatory compliance standards from the foundation. For existing networks that we upgrade and or manage, we ensure that their new systems are compliant as well as their legacy systems.
Innovativ IT employs security benchmarks published by the Center for Internet Security (CIS). The CIS is a non-profit organization whose mission is to help organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls. The standards are developed by consensus with the help of the user community and are based on current recognized best practices for deployment, configuration and operation of networked systems. While at BindView and later Symantec, I was directly involved in establishing these technical standards and their implementation into the Symantec products, as well as helping clients (Fortune 100 and US Government) maintain compliance by measuring their IT infrastructure environments against these standards.
Innovativ IT is currently working with many Houston healthcare organizations to update their IT infrastructure, moving them out of the paper age and into the digital age. In doing so, we are establishing and maintaining HIPAA and PCI DSS compliance from the start. Through the end of 2010, we will be offering a free initial Compliance Audit for any organization. Call to set up your appointment today!
Submitted by Tom Duke, CEO at Innovativ IT Services (Dec., 2010)