This weekend saw a major outbreak of “ransomware”: it hit the headlines because it hit the NHS, as well as many other large networks including Fedex, the German rail network Deutsche Bahn, and even the Russian Interior Ministry. Europol has reported that the WannaCry 2.0 outbreak has claimed 200,000 victims across 150 countries.
However, this latest outbreak is just the one that’s hit the headlines - ransomware has been a growing problem for several years now (in fact, the earliest versions predate the internet and were distributed in floppy drives!). Here at VetHelpDirect, we’ve had to help practices hit with similar attacks before, and it’s something we’re always alert to.
In this emergency release blog, we’ll first have a quick look at ransomware in general and WannaCry in particular, then explain why a practice like yours is potentially in danger. Finally, we’ll run through the key steps required to keep your systems safe - if you read nothing else in this blog, skip to that!
What is ransomware?
Ransomware is a particular type of “malware” (a portmanteau of malicious software) that instead of stealing information, holds your data to ransom. Once a computer is infected, all the files on the computer are encrypted with a highly secure encryption key, making it difficult if not impossible to recover. The programme then demands a ransom in an untraceable currency (usually Bitcoin) to unlock your files. In most cases, if you don’t pay within a certain period, the price goes up; eventually, the files are permanently scrambled.
How is WannaCry 2.0 different?
It appears to utilise a particularly “clever” trick (codenamed “Eternal Blue”) which allows it to spread directly from PC to PC across a network. Microsoft released a patch for this a couple of months ago for Windows 7, 8 and 10, but not all network administrators applied the patch; in addition, anyone using an older version of Windows (especially XP) would be vulnerable.
Surely no-one would target my practice?
According to one security analyst (Klisman Murati), “Small-to-medium sized enterprises are among the most vulnerable, because cyber-defence isn't the thing they prioritise”. This isn’t usually a targeted attack - generally, the criminals use what’s called a “shotgun approach”, sending out malware to as many people as possible. If your practice email address is available openly on the internet (which it pretty much has to be!), then you can expect sooner or later to be attacked. Looking through my personal spam folders, I’ve received 20 or 30 potentially dangerous email attachments and links in the last week - as a business, you should expect to receive a lot more.
What computers are vulnerable?
Although WannaCry only affects Windows PCs and workstations, ransomware exists in the wild that targets Apple and Android systems, and even Linux-based systems are potential targets. Essentially, if a device is connected to the internet it is at least potentially a target.
How do we protect our systems?
There are 4 key steps to keeping your computers safe:
1) User vigilance
Almost all cases of ransomware (and most other malware, for that matter) gets into a system through user error.
The most common method is by opening an infected attachment in an email - so make sure your staff know NEVER to open an attachment if they aren’t expecting it. Check the message to make sure you’re expecting it, and that it actually does come from the sender that it says (it is possible to trick email programmes to display a name other than the one which really sent the message). However, even if it does come from a colleague or neighbouring practice, bear in mind the possibility that their systems may have been infected.
Email spam filters and antivirus programmes are pretty good at weeding out these messages, but no system is 100% safe, so advise your staff to be very careful.
Other infection routes include navigating to unsafe websites, so avoid clicking links in emails.
2) Patch your systems
The Eternal Blue exploit was patched two months ago - so make sure all the computers that connect to your networks are running the most up to date version of their operating systems. While this may or may not prevent ransomware from attacking an individual device, it will help to prevent it from spreading to other machines.
If your practice network is managed by an external provider, contact them URGENTLY to make sure they have applied the patch. If you are still running Windows XP on any networked machine, you REALLY need to upgrade - this is an ancient and highly insecure system. Although Microsoft has released a patch for this particular exploit, XP is full of holes and is the computer equivalent of a cat with advanced FIV - it’s vulnerable to everything nasty going around.
3) Run effective antimalware software
Also known as “Antivirus” software, this is excellent for blocking attacks from known malicious programmes. Although inevitably less effective against brand new software, it is a vital “second line of defence”.
4) Back up your data on an offline drive
If your backup drive is plugged into an infected computer, it too will become infected. So, when you’ve run your daily or weekly backup, disconnect the drive. Ideally, have multiple drives (2 or more alternately used for daily backups, and one or more for weekly ones) that are stored in a secure location disconnected from any networks.
The only type of data that is impervious to ransomware is that which is stored on CD-R or DVD-R (not RW). Although these usually only last 8-10 years so aren’t suitable for long term backups, they will usually meet our 7 year data retention requirements.
What do we do if we are affected?
As soon as possible, isolate the affected machine to prevent it from communicating with others if it hasn’t already - it probably has, but it’s worth trying to prevent further contamination. Do this by physically removing the LAN or ethernet cable; if the machine is on wifi, physically shut it down and then remove the power supply so the malware can’t reboot it.
If possible, make sure you know what you’re dealing with - most ransomware shows a screenshot telling you what it is and what it does. Make a note of what programme has hit you.
Then very very carefully check the rest of your network and establish how far the malware has spread. This is also when you should contact the police - this is a crime and needs to be reported. If your network is a managed one, contact your IT service supplier and yell for help!
Once you have isolated all affected machines, put into action your practice contingency plan for IT failure. This may mean reverting to paper notes and labels, or using stand-alone machines - it will be specific to your practice. If you haven’t got one, now’s the time to write it!
In most cases, there is no point trying to recover files on infected machines - treat them as gone. It is better to simply reinstall the computer from scratch - deleting everything on the hard drive and reinstalling the operating system from a recovery disk or USB drive will destroy the ransomware; you can then reload your files and data from backups. Bear in mind that some ransomware has a “lie in wait function” so your most recent backups may also be contaminated; do some research on the version you have been infected with to see how far back through your backups you should go.
Once you’ve reloaded your backups, it’s time to revise your security procedures for the future!
Should I pay the ransom?
In general, no - firstly, the more people pay up, the more ransomware will be distributed, because it becomes profitable to do so. Secondly, remember you are dealing with criminals - there’s no guarantee that you really will get your files back! If you have no backups and are tempted to pay up, we STRONGLY advise that you seek legal advice first.