Updates‎ > ‎

Ransom-ware Attacks

posted May 15, 2017, 4:58 AM by tdavis@greeneesc.org   [ updated May 15, 2017, 4:58 AM ]

On Friday a massive ransomware attack spread across the globe, locking up thousands of hospital, telecommunications, and utilities systems in nearly 100 countries. The attack used data stolen from the NSA to exploit vulnerabilities in Microsoft Windows and deliver the WanaCrypt0r ransomware. The demand was for $300 per PC.


Once the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides.?


It is not clear the attacks are over and where they might spread.


More info on the attacks can be found here: http://www.npr.org/sections/thetwo-way/2017/05/12/528119808/large-cyber-attack-hits-englands-nhs-hospital-system-ransoms-demanded


What should you do?


1) UPDATE SOFTWARE to ensure the most recent security patches have been applied.


2) BACKUP CRITICAL FILES so that if you are attacked, your most critical data has been saved. In a ransomware attack, you may or may not get your files back.


3) IF RANSOMWARE STRIKES, you'll need to decide whether to pay. If you pay, you may or may not get access to your files again and it is possible your machine is still infected. The Ohio Attorney General has indicated that the State will hold public entities harmless for decisions they make in this regard.


Tips from the Federal Bureau of Investigation for dealing with ransomware (primarily aimed at organizations and their employees, but some are also applicable to individual users):


  1.  Make sure employees are aware of ransomware and of their critical roles in protecting the organization's data.

  2.  Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).

  3.  Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.

  4.  Manage the use of privileged accounts-no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.

  5.  Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don't need write-access to those files or directories.

  6.  Disable macro scripts from office files transmitted over e-mail.

  7.  Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).

  8.  Back up data regularly and verify the integrity of those backups regularly.

  9.  Secure your backups. Make sure you have a set of backups that are not connected to the computers and networks they are backing up.

10.  Consider removing from the network or upgrading ALL devices running unsupported operating systems (i.e. Windows XP).



Thank you to various OECN personnel from around the state for compiling this information.