The WannaCry Virus: An Update & Response for Healthcare

News of the recent WannaCry virus has now covered the globe. BBC and CNN report that this cyberattack, the largest one in history, has been found in 150 countries, affecting over 200,000 computers. Numerous corporations, governments and healthcare providers have been impacted, including the United Kingdom’s National Health Service, which has forced some locations to temporarily cease operations and divert patients.

While cybersecurity analysts did discover a “kill switch” within WannaCry to help disable it, the potential for a stronger version without that check remains a possibility. In light of that, here is what the healthcare industry needs to know:

 

What is Ransomware?

Ransomware is malicious software which blocks access to a computer system or data until a sum of money is paid. Some forms of ransomware systematically encrypt files on the system’s hard drive, making them difficult or impossible to decrypt without paying the ransom for the encryption key, while some may simply lock the system and display messages intended to coax the user into paying.

We created an overview of Ransomware to serve as a valuable educational resource regarding some background on this cyber threat and, most importantly, steps for prevention.

 

Who is at risk for WannaCry?

WannaCry attacks outdated versions of the Microsoft operating system, including Windows XP, Windows 8, and Windows Server 2003 as well as all current supported versions. Microsoft had previously created a patch (you can find the MS bulletin here), yet many who have not updated their systems are vulnerable to the WannaCry attack. It has been specifically associated with the MS17-010 Security Update for Microsoft Windows SMB Server (4013389). When the user unsuspectingly opens a file containing the virus, WannaCry locks down the computer until a ransom has been paid.

 

What are Fortified’s recommendations?

  1. Deploy patches for MS17-010 across your enterprise immediately. Make sure you reboot any patched systems immediately after deployment to ensure the update takes effect.
  2. Review your recovery procedures and ensure your backup archives are set for the shortest possible time. It is easier to recover data from the last 24-48 hours than it is from last week.
  3. This exploit has been tied directly to the WannaCrypt or “WannaCry” ransomware payload, so the effect of this exploit is a complete system lockup of any impacted system along with the associated files and fileshares that system might have access to. It is also being reported that this attack has turned into a worm: it is self-replicating and can be executed without user input, making both the degree of impact and the next target unpredictable. Be prepared and don’t panic.
  4. Should you find yourself affected by this exploit, remove the affected system from the network immediately, wipe the system and rebuild it from archives.
  5. Take note of any inbound traffic and lock down your firewalls by blacklisting the associated source(s) as applicable.
  6. Disable SMB (ports139 and especially 445). Ensure it is not permitted into your environment from the internet.
  7. Immediately offer end-user safe browsing and email training.
  8. Issue an organization-wide communications educating staff on the situation and their roles in protecting the organization.
  9. Review policy and procedures specifically focused on disaster recovery, business continuity and incident response.
  10. Verify most recent backups of all critical systems and data.

 

What actions has Fortified taken in response?

The Fortified team has offered the following guidance to our clients in response to the WannaCry threat:

  • We are identifying potential vulnerabilities by delivering a custom on-demand report to all of our Vulnerability Threat Management (VTM) clients, noting which of their systems are vulnerable to MS17-10 (which is what WannaCry is exploiting).
  • We are providing ongoing situational awareness to our clients by sending periodic updates based on new information as it is discovered in order to keep our clients up-to-date.
  • We are conducting on-demand scanning for clients upon request to assess vulnerability both before and after patching of vulnerable systems.
  • We are offering ongoing consultation regarding best practices and guidance upon request.

The team at Fortified Health Security is ready to address all of your healthcare cybersecurity concerns. Please immediately contact us if you fear that WannaCry has impacted you or that you may be vulnerable to an attack.