Malware experts share cyber security tips

Approximately 150 countries were affected.

Honda said on June 21 that it was forced to stop production at a car plant in Japan after its computer network was hit with WannaCry.

On June 27 another malware, ExPetr, thought to have originated in the Ukraine, infected government and corporate networks on a global scale as well.

Jerome Segura is the lead malware intelligence analyst at cyber security company Malwarebytes. He said ransomware is the most widespread type of malware or malicious software, encrypting valuable files like photos and documents. Ransoms typically cost between $400 and $500 for each infected machine.

“WannaCry was a typical ransomware to begin with,” Segura said. “Actually the first version of WannaCry was just a standalone ransomware. It did not have any propagation method yet. When WannaCry 2.0 came out it had a worm with it. The worm is what really made WannaCry such a big threat worldwide because all of a sudden, using an exploit that was released by the Shadow Brokers from the NSA toolkit, you could spread one infection throughout the world using an SMB vulnerability,” he explained. “So WannaCry was really a wake up call for many. Ransomware was already known to be a big deal but if you couple the ransomware threat with a worm, then you’ve got something that’s very lethal.”

“There is very little you can do once you’ve been infected with ransomware. It’s becoming harder and harder to decrypt files without having to pay a ransom,” Segura said.

On patching
Jean-Ian Boutin is a senior malware researcher at IT security company ESET. He said the worm within the WannaCry ransomware infected approximately 200,000 computers in about a 24-hour span. He also said this outbreak could have been prevented, had systems been up-to-date.

“In the WannaCry case, a good patching strategy would have prevented this outbreak because the patch was already available,” Boutin said.

Patching, in computer terms, is a piece of software used to update a computer and fix bugs or security vulnerabilities.

“This was really a threat that targeted businesses more than consumers. What we realized is many businesses and networks were not patched, were vulnerable to this type of attack, which exploited a file-sharing vulnerability,” Segura added.

‘Think before you click’
Toronto-based St. Michael’s Hospital’s ‘Think Before You Click’ campaign advises users that most malware enters systems through email or websites and cautions against clicking on any suspicious email links or attachments.

“Normally, we take a little more cautious approach to patching servers to ensure that applications are not affected,” the hospital’s deputy CIO Frank Garcea told Canadian Security magazine. “But in this particular incident we’ve had to patch in a more expeditious manner; our approach to patching desktops has always been aggressive. They are patched as soon as patches become available.”

“When hospitals are forced to shut down, surgeries are cancelled, we realize how dependent we are on our IT infrastructure. And when it’s not secure then lives are actually at risk,” Segura said.

Segura and Boutin agree educating staff is a must.

“Technology is one thing. You can install a lot of different pieces of technology, but if you don’t also train your people then you’ve only won half the battle,” Segura said.

“Having a security policy in place is a good idea for a business. It all depends on what are the risks, the size of the business,” Boutin said. “Put in back-up procedures to avoid losing work or money if you have to pay a ransom. Store back-up in a non-accessible place so it can’t be encrypted.”

“In a lot of cases, just one version behind is enough to be hacked,” Segura said. “We know that it’s not always possible to patch, but if that’s the case then my recommendation is to isolate the systems. Put them in virtual machines, contain them so that if something happens at least you don’t infect the rest of the network,” he said.

Canadians paying ransoms
According to a ransomware survey Malwarebytes conducted in 2016 within a number of countries, Canada had the highest number of people who had paid a ransom to retrieve their files. Segura said around 75 per cent of Canadians affected actually paid the ransom.

“The more people pay the ransom, the more we’re going to see ransomware become so prevalent with criminals actually upping the price of the ransom,” Segura said.

“Even if you do pay it doesn’t guarantee you’ll get your files back. Not always because the criminals don’t keep their word, but sometimes because the ransomware itself was poorly coded and by accident kind of destroyed your files. That happens quite a bit,” Segura said.

Segura recommends not blindly obeying instructions asking for immediate payment.

“You’ve got to do a bit of research. There’s a small, slim chance you may be able to find an alternative solution,” Segura said.

He also said affected business should report the incident to law enforcement to stop hackers, even if they don’t want to go public with the news.

For more on ransomware, and interviews with Jerome Segura and Jean-Ian Boutin, view the latest Security Insider video.