This week marks the Business Continuity Awareness week in association with the BCI, and would you believe it, the world’s largest cyber attack has hit as well. You couldn’t make this stuff up.
The facts (so far)
Over the weekend, one of the world’s largest ransomware attacks was released across small to medium-sized private sector businesses, in particular, an Australian company being the attackers first victim on Friday.
The attack that began on Friday is believed to be the biggest online extortion attack ever recorded and has sent some major organisations into meltdown, including the UK’s NHS (National Health Service). On Sunday the UK Government announced 97 per cent of its hospital were back to normal after the attack locked, but Europol director Rob Wainwright said he feared the attack was not over and that the number of attacks would continue to grow.
The attack, which essentially locks your companies main servers and users files, has hit 200,000 victims in 150 countries. This number is expected to grow vastly in the next few hours as workers turn their computers on for the first time over the weekend.
The ransom itself is a grand total of $300USD and expected to grow if the user does not pay.
The attack appeared to be caused by a self-replicating piece of software that takes advantage of vulnerabilities in older versions of Microsoft Windows, security experts says.
Chris Watts from Tech Analysis and RiskLogic’s own IT experts says “WannaCry / Wcry / WannaCrypt ransomware is spread via SMB, that is the Server Message Block protocol typically used by Windows machines to communicate with file systems over a network. It’s able to do this where the machine supporting the protocol has not received the critical MS-17-010 security patch from Microsoft which was issued on the 14th of March and addresses vulnerabilities in SMB. In other words, you have to be almost 2 months behind in your patch cycle in order to get hit with Wcry”.
Unfortunately at this stage, little is known about the attackers. What we do know though is one major aspect, this worm doesn’t necessarily need a phishing scam email to find it’s way on your computer. It uses complex algorithms to get onto your system by blocking any data to be re-coded and blocked internally from the patches your system likely doesn’t have updated.
Although the seriousness of this attack is hitting most media outlets today, very few victims have paid the ransom. It should remain this way! Paying the ransom not only funds these attackers to continue, it’s also not necessary.
Am I safe?
The first thought that comes to mind from many business men and women is whether their personal and business computers and files are safe? The short answer is, you’re always a target to this sort of thing. The good news right now is you still have time! As terrifying as the unprecedented global “ransomware” attack is, this is still a media generated storm. Cyber security experts said it was nothing compared to what might be coming and what is capable — especially if companies and governments do not make major fixes now. This means, in short, you still have time to remain in control.
Your organisation’s goals should be to remain calm and let the IT professionals get to work!
Here’s what you need to do right now:
Chances are, very few tech geniuses and IT chaps are reading this. The likelihood is your CEO, Directors and Stakeholders want to know the facts, ‘are we affected?’. You can help them right now by staying one step ahead of the game. Chris Watts of Tech Analysis says you can take a few quick and easy steps:
- Keep your operating systems current or update it now
- Install patches early
- Have a robust backup strategy (time to get your BCP out?)
- If you are infected, don’t pay the ransom, restore from the backup and get your IT team everything they need
- Lock down machines. (e.g make sure nobody uses the admin account except for administrators, only trusted users can install software, use USB drives etc..)
- Don’t open suspicious email or attachments
- Restrict access to network resources (ransomware can only encrypt what it can access or what machines it can propagate to, make sure file share permissions are setup to restrict machines so they only have access to files on your network file server needed for the workflow that the machine is used for)
- Block unnecessary ports like pptp. (pptp is an obsolete method for implementing virtual private networks, with many known security issues).
Why haven’t I heard of many companies being affected?
If it wasn’t for the (accidental) discovery and build of a ‘kill switch’ by a 22-year-old tech whiz, only referred to as MalwareTech, this attack would be much larger than it currently is. MalwareTech and his partner, Darien Huss registered a domain name over the weekend that redirected the attack to MalwareTech’s main server, activating their kill switch and halting the attack.
A pinch of luck and tech knowledge has helped slow the attack down in this bubbling soup of concerns. However, Director for Centre for Cyber Security Research at Deakin University, Professor Yang Xiang says that “this attack is likely to progress and grow over the coming hours due to its nature”. Europol director Rob Wainwright says that he feared the attack was not over and that the number of attacks would continue to grow, however many crisis experts (including myself) are confidently promoting the need to revisit your Business Continuity Plans and remain confident in your staff.
Another key reason you are likely not to hear companies registering their attack will be their reputational damage and concerns from their direct clients or customers. Typically, media attention and a statement released by those affected come once control is established, although this isn’t always best for their clients!
One major aspect you need to consider is social media. An easy step to take now is to reinforce your BC awareness and instil confidence to your staff.
Staff should be asked to remain off social media and if neccersary, provided with official communication and statements if the business has been affected.
MalwareTech’s advice is simple: If you haven’t Patched, do it now!
This is already believed to be the biggest online extortion attack ever recorded, disrupting computers that run factories, banks, government agencies and transport systems in nations as diverse as Russia, Ukraine, Brazil, Spain, India and the US.
Get your Business Continuity Plan out!
Remember that plan RiskLogic helped you put together? Now is the time to get it out on your desk. You don’t need to be activating it just yet, but it’s worth having a skim over. Remain a step ahead by revisiting your key procedures and get your BC Team and Crisis Team in the loop.
You need to be using this plan and your excellent communication to get the facts. Have a confident individual in your IT team present you the facts. Relay these to your stakeholders and make the call, as a team, whether you need to activate your plan?
Leave the technical stuff to the pros!
The worst thing you can do is get in the way. The chances are, you’ve not been affected. You also probably won’t be affected (there are more heroes out there than hackers!). But how good of an excuse is this to get your plan out and share it around?
Business Continuity Awareness Week
This coming Friday the 19th, I will be attending the Executive Breakfast for Business Continuity Awareness Week (BCAW). We will be discussing the Kaikoura EQ but also the latest news on this cyber event. This is a great opportunity to sit with some of the leading industry experts on what you should be doing to prepare.
You can register for the event here: http://www.bci-events.wildapricot.org/event-2541842
Until then, plan, do, check and act…