Monday, 15 May 2017

What is the WannaCry RansomWare virus?

You may have read about the disruption caused to many computers across the world last week, that was caused by the WannaCry RansomWare virus. The NHS were amongst the organisations most badly affected. Here we try to explain what it is, how so many people were infected and how you can protect yourself.

What is WannaCry?
It is a “RansomWare” virus that almost certainly arrives as an email attachment, which a user is persuaded to open. They may believe the email to have come from a friend or colleague. Or the email may be suggesting that the attachment is an expected invoice, a problem with your bank, or an unexpected demand for payment. However it is presented, it would appear to have been crafted in such a way that many people have opened the attachment.

What is RansomWare?
“RansomWare” is the name given to a type of virus which infects your computer, encrypts most of your data and then demands a payment, or ransom, to provide a “Decryption Key”. Only with that key would you be able to recover your encrypted data back to a useable form.

Why didn’t Anti-Virus software stop it?
No anti-virus (AV) software is 100% effective. The way most AV works is by knowing each virus that exists. Any software that tries to install itself to your computer has a specific signature. That signature is matched against a database of known viruses and the AV blocks any malicious software.

However, whatever AV is in use by the NHS clearly wasn’t effective in this instance – in a big failure!

In the case of a new virus, most AV databases need to be updated with the new signature, and every computer then needs to download the updated database. This process is speedy, but inevitable time delays allow the virus to spread.

Some AV, such as WebRoot, (http://www.the-it-dept.uk/antivirus.php), works in a slightly different way by trying to spot the way viruses infect computers, as well as having a cloud based database of known viruses. WebRoot also sends back to base information on software that computers are installing, so any malicious virus can be spotted quickly, allowing the WebRoot database to be updated very fast, to block further infections.


Which computers are at risk?
The WannaCry virus exploited a vulnerability in older versions of Microsoft Windows. A “vulnerability” is, effectively, a mistake in the coding of Windows, which allows a malicious virus writer to exploit the poor coding. There are very many vulnerabilities within Windows, which is why Microsoft releases “Windows Updates” every month. These Updates are used to patch the holes in the software to make it more secure.

There is a governmental organisation in the USA, called the National Security Agency (NSA), which is tasked with keeping the computers of the USA, and presumably other friendly nations, as secure as possible. The NSA discovered a new vulnerability within Windows some time ago. But, they kept this information to themselves, in the hope of using the security flaw in an attack on their enemies.

Instead of this happening, the NSA themselves were hacked and the information that they held on the vulnerability was stolen. This meant that nefarious elements now had some very dangerous knowledge.

At this point the NSA had to fess up to Microsoft, who soon released a patch against the vulnerability. So, any computers which were running Windows Updates automatically, or whose users were installing such patches manually, were secure.

There are, of course, questions about the ethics of the NSA. “NSA's mission is to help protect national security” (from https://www.nsa.gov/news-features/press-room/statements/2013-08-09-the-nsa-story.shtml). Quite how the best interests of national security are addressed by keeping quiet about such a major flaw in Microsoft Windows is debatable.

But, surely the NHS were patching their computers?
Not necessarily. Many IT staff do not allow automatic updating of Windows. Historically this could cause more problems than it was worth, as some of the patches would create more serious issues than they fixed. (This hasn’t been the case for many years now. We recommend users run Windows Updates automatically on PCs, but not on Servers.)

In addition, Microsoft only publicly releases patches for what they call “supported” versions of Windows. This only includes newer versions, such as Windows 7 or Windows 10. It does not include Windows XP.

Many government departments, and particularly the NHS, operate annual budgets which mitigate against longer term investment. They therefore do not see the cost benefit of upgrading older computers. Or they have certain devices attached to a computer which will not work on newer versions of Windows. The NHS has many computers running Windows XP.

For some time the UK government was paying Microsoft to continue providing patches for Windows XP. Last year the government decided that this was a false economy and stopped paying this money from central funds. The NHS chose not to make a new agreement with Microsoft, and so their Windows XP computers have not had the benefit of any patches. I also suspect that many of their newer computers are not set to automatically update.

Why was WannaCry able to infect so many computers?
WannaCry is different to most other RansomWare as the exploit that the NSA had discovered allowed malicious software to spread from computer to computer, over the network. Previously most viruses would only infect the one computer that they had been installed to. So, if one user in an office opened a malicious email attachment, only their computer was infected. WannaCry infects all of the other computers that it can find on the same network.

Why can’t I decrypt the data myself?
The encryption methods used by this type of virus are extremely powerful. Without the Decryption Key it is almost impossible to recover your data. 

The virus writers wish to be paid in “Bit Coins”, which are an untraceable, electronic currency. The WannaCry virus demands payment within 3 days, or the price doubles. Don’t pay within a week and your data is gone forever. But, setting up a Bit Coin account is neither straightforward nor fast. And, once you have paid the ransom, what guarantee do you have that the Decryption Key, if sent to you at all, will work?

Law enforcement agencies cannot, in this case “follow the money”. Bit Coin accounts have been designed to be untraceable and anonymous.

So, what can I do to protect myself?
There are several steps we can take to protect against viruses.

Use a backup system where most copies of the backed up data are not held on your network.
Cloud, or online, based backup is ideal. RansomWare viruses cannot infect the data in the cloud, so you can clean the virus and recover the data from backup very quickly.

Tape based backup, or backup to more than one external hard drive, allows the backed up data to be removed from site each night, offering some protection.

Backup. Backup. Backup

Keep Windows Updates running automatically and check that they are installing occasionally.

Install a good anti-virus system and keep it updated.

Install CryptoPrevent and pay the $15 annual fee to keep it updated. This is a small piece of software aimed only at preventing RansomWare style viruses (https://www.foolishit.com/cryptoprevent-malware-prevention/)

Don’t visit websites that your mother wouldn’t approve of. And don’t click links in emails to websites. Especially if an email consists only of a link.

But, most importantly, be wary of any email attachments.   
Do you know the person who just sent an email to you with an attachment?

Do you really know them? Anyone can fake an email address, so does the email read correctly, as if your friend or work colleague that appears to have sent it actually did so?

Were you expecting the email attachment? Not just, were you expecting an email attachment. Were you expecting this specific one?

Is the attachment a Zip file? No-one sends Zip files very much, apart from virus writers!


Have a regular IT Support visit to report on the health of your computers. You may wish to have a monthly contract, or just the occasional one-off visit. 

Just as you service your car to keep it running smoothly, so you should service your computers.


Please get in touch if you have any questions or concerns. Or if you'd like further advice.



Call us now on 01257 42 92 16 
or see our website at https://the-it-dept.uk

Keeping IT Simple!

____________________________________________________
The IT Dept offers computer support services in Lancashire, including Monthly On-Site or Remote Support Contracts; Secure Online Data Backup; Domain Hosting; Server and Desktop Sales; Software Supply & Installation. We cover all of Lancashire, including Chorley, Preston, Blackburn, Darwen, Bolton, Wigan, Blackpool, etc.
© Michael Donkin 2017