Interview with Scott Manson, Cyber Security Leader for Middle East and Turkey, Cisco
Cisco’s security research organisation Talos’ initial analysis of the global ransomware worm attack that has affected multiple organisations worldwide points to the attack starting in the Ukraine.
There have been other reports of this attack appearing in France, Denmark, Spain, the UK, Russia and the US.
Once this ransomware enters your system, it uses three ways to spread automatically around a network, one of which is the known Eternal Blue vulnerability, similar to how last month’s WannaCry attack unfolded.
What’s clear from this, and recent attacks, is that organisations must prioritise patching systems to lower their risk profile.
What can you tell us about the attack?
- We have seen the second ever ransomware worm, coming on the heels of WannaCry last month.
- This ransomware outbreak has affected multiple organisations in several countries, Cisco’s security research organisation Talos is actively investigating this new malware variant.
- This new ransomware variant encrypts the master boot record (MBR) of a system. Think of the MBR as the table of contents for your hard drive – clearly very important.
What is ransomware?
- A type of malware that locks down your computer/system and takes control/encrypts your data and demands a ransom.
What is bitcoin?
- A crypto currency used online.
- Bitcoin is not controlled by any one government or state.
- Because it allows for anonymity, it is ideal for attackers.
Do we know what organisations were impacted?
- Reported victims so far include Ukrainian infrastructure like power companies, airports, public transit, and the central bank, as well as Danish shipping company Maersk, pharmaceutical company Merck, the Russian oil giant Rosnoft, and institutions in India, Spain, France, the United Kingdom, and beyond.
How is this different to WannaCry? Is there a ‘killswitch’ for this attack?
- This ransomware doesn’t seem to incorporate the errors that hindered WannaCry from spreading. Specifically, this attack doesn’t seem to have a kill switch function. It is also harder to detect since it moves within a network.
Who is responsible for this attack?
- Attribution is difficult in attacks like this.
- Cisco is focused on understanding the attack and protecting our customers.
What is Cisco’s recommendation for customers to protect against this?
- Ensure your organisation is running an actively supported operating system that receives security updates.
- Have effective patch management that deploys security updates to endpoints and other critical parts of your infrastructure in a timely manner.
- Run anti-malware software on your system and ensure you regularly receive malware signature updates.
- Implement a disaster recovery plan that includes backing up and restoring data from devices that are kept offline. Adversaries frequently target backup mechanisms to limit the possibilities a user may be able to restore their files without paying the ransom.
- If vulnerabilities aren’t patched, an organisation will continue to be at risk for infection by this ransomware.
