Offsite Cloud Backup Best Protection from Ransomware

It’s called WannaCry / WannaCryptor and is possibly the biggest attack in history

What is it

This new form of ransomware named “WannaCrypt0r/WannaCry” has been confirmed by Kaspersky Labs to already have recorded more than 45,000 attacks in at least 74 countries in the last few hours.

It’s infecting Windows-based operating systems at a rapid rate.

If a computer is infected with this virus, it will seek out connections to other computers on the same network, mapped drives, shared folders, etc, and start encrypting data.

Microsoft has actually known about this vulnerability before March 14th, 2017, and released a security bulletin [updated: page was removed and now redirects to Microsoft Security Response Center] about it, however, many systems remain unsecured and as a result, it is severely impacting schools, governments, and healthcare institutions worldwide.

Reports indicate the patch is not included for Windows XP systems and those operating systems should be retired immediately. Unfortunately, some medical institutions are still using Windows XP, and as a result, services have had to be diverted to another neighboring medical service provider who was not infected.

How This Affects WholesaleBackup Channel Partners

I just got off the phone with one of our WholesaleBackup Partners. He had some questions about the offsite cloud backup software and was just calling to double-check on some of the backup settings after performing a full data restore and successfully recovering all of the accounting records for one of his customers.

Incidentally, the customer had accidentally deleted the data by mistake during a transition to a new computer setup.

He brought up this WannaCry attack and how he does not want to mess around, having experienced dealing with this before.

He brought up the time around three years ago when another version of ransomware (some version of Cryptolocker) was running rampant and infected this exact customer and everything was lost.

The only saving grace was that he was running our offsite cloud backup software, and was able to fully restore the business back to normal and recovered all of the accounting and business data successfully.

This is what it’s all about, staying ahead of these attacks by simply keeping an offsite copy of your most important data.

The offsite cloud backup software is used by MSPs, Backup Service Providers, IT Pros, and Network Professionals around the world, just like you.

Whether you want to provide and very light or robust service the choice is yours, you can offer local onsite, vaults, Disc Image Restores (BMR), and offsite cloud storage using AWS S3 / Google Cloud or even use your own Backup Server and store the data yourself.

At least 16 hospitals in the United Kingdom are being forced to divert emergency patients today after computer systems there were infected with ransomware, a type of malicious software that encrypts a victim’s documents, images, music and other files unless the victim pays for a key to unlock them.

Source: KrebsonSecurity

Glad I don’t have to deal with this anymore, but XP? Still? srsly?https://t.co/8LO2eze7ly #WannaCry

— Richard De St Croix (@s0apy) May 12, 2017

A glance at the recorded mapping & distribution of this infection unfolding currently

Initial observations show Russia, Ukraine, India, and Taiwan receiving the most attacks.

Kaspersky’s early numbers have Russia being hit with over 70% of the WannaCry infections https://t.co/OkgyCfQyfm

The ransomware screen is similar to others we’ve seen in the past, explaining you have been hacked and your data is being held hostage, with a time-limit to meet the demands, generally demanding between 300 – 600 dollars from its victims.

Origins of this virus traced to NSA leaked tools (EternalBlue)

The use of the NSA EternalBlue exploit was confirmed by an independent malware researcher known as Kafeine:

Más información de #WannaCry

https://t.co/73HBfs4qqD

— Oscar Valdez (@oz_vacore) May 12, 2017

Kafeine told Forbes that it was unsure if the exploit was being used as the ransomware’s primary method of infection, but was certain it was used in some capacity. Separately, UK-based researcher Kevin Beaumont tweeted that WannaCry was using the NSA attack, which exploited a now-patched Microsoft Windows vulnerability, also known as MS17-010. And a Spanish Computer Emergency Response Team (CERT) said the vulnerability was used by the ransomware crooks.
Source: Forbes

If you need the patch it’s available now

Our analysis indicates the attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.

Source: Kaspersky Labs

What You Can Do To Minimize Risk with Offsite Cloud Backup

1. If you don’t have an offsite cloud backup service in place get one now.
2. Retain at least 30 days worth of backup history (this is done from the Backup Retention settings), this provides around a month’s worth of good data stored offsite to recover from.
3. Have more than one backup vault. Our Backup software allows you to create a zero-cost (included) local vault in addition to your remote vault, having more than one vault is highly recommended and a best practice, in addition restoring from a local vault is much faster.
4. Monitor accounts and customers from an online backup monitoring tool, like our Backup Ops Web Console. There will be key indicators present if things are going wrong and that will help you stay on top of things.
5. Create reports to be emailed to you directly so that you can monitor the last connection times and data transfers.
6. Create alert notifications for when computers don’t connect or send any new data.

These are just a few things WholesaleBackup can do for you that provide you with a great advantage to ensure data continuity.

WannaCry Update 05.15.2017

On Friday the initial reports stated 45,000 hacked PCs, now Monday we are seeing over 200,000 hacked PC’s across 99 countries.

That’s a staggering 344% increase within 48 hours!

As stated previously the attack is exploiting a Windows SMB package called EternalBlue which is confirmed as one of the several leaked CIA tools reported in March by Wikileaks.

Former CIA employee Edward Snowden stated that if the NSA had privately disclosed the flaw used to attack the hospitals when they “found” it, this tragedy could have been avoided. He also stated that Congress should be asking if the NSA knows of any other vulnerabilities in software used in our hospitals.

If @NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened https://t.co/lhApAqB5j3

— Edward Snowden (@Snowden) May 12, 2017

Microsoft has quickly changed its mind and has now officially released emergency security patches for all of its unsupported versions of Windows, including Windows XP, Vista, Windows 8, Server 2003, and 2008 Editions.

Quick Tip To Disable & Stop WannaCry

Another workaround has been shared to stop this threat.

On all Windows systems, you can stop/disable SMB on your Operating System.

What is the SMB? 

Here are the steps to stopping it.

Quick Tip to stop #WannaCry (for all Windows users, even if you have installed the updates, Just disable SMB if not in use) pic.twitter.com/zfhj0sS4ZY

— The Hacker News (@TheHackersNews) May 13, 2017

Despite many security researchers working tirelessly to find a way to stop the infection like @MalwareTechBlog very skilled 22-years-old malware hunter who first discovered that there’s a kill-switch, you can use it to stop an ongoing ransomware attack.

A new strain has emerged and has been quickly dubbed version 2.0 which is not disabled by this killswitch.

The killswitch has slowed things down a bit but has not stopped it. The curious part about this Killswitch is that it is believed to be built in by design. The script consistently checked for a fake obscure URL that was unregistered. The security researchers registered the fake URL and the virus immediately shut down.

Experts are confused why they built it this way, but believe it may have been a way to manually shut it down when they wanted to stop it.

“It was all pretty shocking, really,” MalwareTech says. The kill switch “was supposed to work like that, just the domain should [have been] random so people can’t register it.”

Check out this video demonstration of  WannaCry ransomware Windows SMB to compromise the system.

8 things you can do right now to stop WannaCry

1. Install all security updates immediately

2. Patch SMB Vulnerability

3. Disable SMB

4. Enable Firewall & Block SMB Ports

5. Use an Antivirus Program

6. Be suspicious of EMails, Websites and Apps

7. *Most Important* Make Daily Backups of your files using offsite cloud backup

8. Keep Your Knowledge Up-to-Date

[Source: thehackernews]

Shared code between an early, Feb 2017 Wannacry cryptor and a Lazarus group backdoor from 2015 found by @neelmehta from Google. pic.twitter.com/hmRhCSusbR

— Costin Raiu (@craiu) May 15, 2017

Google Researcher Discovers similarities in WannaCry code identical to Lazarus Group

Neel Mehta a Google security researcher has identified identical patterns in the WannaCry ransomware code similar to that used by the hacking group called Lazarus, who has also been blamed for the Sony hack in 2014 and the Bangladesh bank in 2016.

If this proves to be true, WannaCry would be the first ransomware attack launched powered by a nation, using leaked NSA tools.

Security firm Symantec says it has “identified the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry,” which could have been used to help spread the worm to vulnerable computers. The company adds that the shared code is based on “a specific sequence of 75 ciphers, which to date have only been seen across Lazarus tools.”

[Source: NPR]