Cybersecurity and Physical Security

WannaCry ransomware: What every utility needs to know

There are many articles and official sources of information about WannaCry, the ransomware that was unleashed on Friday, May 12, 2017 and quickly spread to 150 countries around the world. This post is intended to provide the basics to guide utility senior management in understanding what happened, what to do if WannaCry is detected on their network, and what to do going forward to prevent this type of risk to their networks.

For utility IT management and staff, N-Dimension has published a technical flash alert to assist IT and cybersecurity staff in planning a course of action.

1) WannaCry - what is it and what happened?

WannaCry is a ransomware computer worm that targets the Microsoft Windows operating system. The attack began on May 12 and reached an estimated 150 countries and locked (encrypted) files on 200,000 computers, initially demanding a $300 Bitcoin ransome payment; after 72 hours, the payment demand would double to $600; and after seven days, the files would be permanently locked.

2) How do we know if we are vulnerable to WannaCry?

If you are running Microsoft OS on any host computers (desktops, laptops, tables, servers, etc.) and have not installed Microsoft patches made available March 14, 2017, you may be vulnerable. Review the list of applications affected and critical security patch information on Microsoft’s website to be sure.

3) How can I prevent our computers from succumbing to WannaCry?

Part of best practices for IT staff includes monitoring for availability of patches and ensuring they are implemented according to the utility’s policies. A security patch such as the one from Microsoft that can prevent WannaCry infection was identified by Microsoft as “critical” and should have been installed utility-wide within a short period of its release.

If the Micrososft patch has not been installed on all host computers, its not too late. Mandate that all host systems download the patch as soon as possible from the Microsoft website

4) If I one of our host computers gets hacked by WannaCry what should I do?

If a host is detected as having been infected with WannaCry, immediate action should be taken.

  • Disconnect the host computer from the network and place in isolation. This can help mitigate the spread of WannaCry to other hosts on the network.
  • Once the infected host has been taken offline, an assessment should be done to understand how widespread the problem is, including an inventory of what files were encrypted by WannaCry. Based on this assessment, a decision can be made in terms of recovering the data from a backup.
  • All other hosts on the network (particularly those that shared files/folders with the infected host) should be scanned for WannaCry as soon as possible to ensure they have not been compromised as well.
  • Containment: Taking the infected host offline is the first step, followed by disabling and blocking SMB traffic at your network boundary or perimeter. Ensure that all Windows hosts are up to date with Microsoft patches and specifically have the MS17-010 update installed is imperative.
  • Do NOT pay ransom: Although WannaCry claims to provide the files back if the ransom is paid, research to date suggests that no such recovery is provided even after payment is made. Furthermore, it is dangerous and counterproductive in general to pay a ransom in any type of ransomware attack.
  • Report attack: According to the US-CERT advisory TA17-132A, it is recommended you contact and report the incident to your local FBI field office.

5) What can I do going forward to reduce risk of a cyberattack such as WannaCry?

There are some basic steps that can be taken by utilities to vulnerability to a cyberattack. In addition to ensuring IT is using best practices, all employees need to be vigilant which starts with education.

For IT

  • Ensure software patches and anti-virus are installed in a timely manner, especially those related to security (OS, applications, web browser, etc.)
  • Monitor incoming network traffic and traffic within your various networks for anomalous traffic that could indicate a security issue
  • Ensure a plan is in place for data is backup and recovery. It is recommended that backup copies of sensitive data should not be readily accessible from local networks.
  • Perform regular vulnerability scans of networked devices to identify potential security concerns such as security policy violations, malware and viruses, software and OS vulnerabilities (including unpatched devices)

For all employees

  • Be vigilant about suspicious emails with links and attachments – don’t click, don’t open if there is any question.
  • Only download software from trusted websites.
  • Ensure software patches and anti-virus are installed in a timely manner, especially those related to security (OS, applications, web browser, etc.)