What is ransomware and what does the virus do?
Ransomware is a type of virus, or malware (malicious software), that is usually delivered as an attachment in an e-mail. The e-mail could appear to come from a known sender and the attached files will purport to be commercial documents such as invoices, credit notes, shipping notices and/or receipts. Once the user double clicks on the attachment to open it, your system will become infected. In the majority of cases, the user will see no response to opening the attachment, it will appear that nothing has happened. The ransomware will then encrypt any known file types (Word, Excel, Sage, etc) it can find, both on your local computer and across any network shares. The malware creators will then demand a ‘ransom’ payment to decrypt the files and restore your access.
In this instance, the malware also takes advantage of a vulnerability in the Microsoft Windows operating system that was identified in March 2017, allowing the malicious code to spread rapidly across your network and infect other systems. A single point of entry therefore has the potential to infect an entire network in a very short space of time.
What has been done so far?
When the vulnerability in Microsoft Windows was identified in March 2017, Microsoft quickly released a security patch that would remove this potential exploit. Whilst this patch will do nothing to prevent infection of your local computer should you inadvertently open a malicious attachment, it will prevent the malicious code from spreading across networks and isolate it to a single workstation. In the case of recent newsworthy infections such as NHS England, many users are still using very old versions of Microsoft Windows XP which Microsoft no longer support and as such, no patch was released for this version of the Operating System.
All of our customers use enterprise-grade anti-virus and security software. This software has and will continue to identify ransomware e-mails en-route into your organisation and delete them before they reach you. In some cases, where the malicious intent of an e-mail cannot be wholly determined, the e-mail is delivered to you but the attachment removed as a further precaution.
In the majority of cases and in line with our best practices documents, no user will have administrative access to the workstations. This will prevent you from installing software without first calling our helpdesk to have the installation authorised by means of an administrative password. In the majority of cases this safeguard will prevent the malware from executing even if opened by a user, however this is a final line of defence and depending on the malware, may not always be successful.
What can I do?
Whilst we will approve and deploy updates from Microsoft, including the March 2017 security update mentioned above, the installation of these updates is handled by your local workstation. As such, you should ensure that you have no pending updates waiting to be installed. You can check this by looking for an icon informing you that updates are ready to install in the bottom right corner of your screen (alongside the time/date). If clicking on this prompts that you have updates waiting to be installed, please click the install button and restart your computer when prompted. You can see an example of this icon by clicking here.
If you have off-site backup that uses removable/swappable backup disks, ensure your backup disks are being changed at the required schedule. In the event of an organisation-wide infection we will rely upon the most recent off-site backup to recover corporate data. We will continue to monitor backup jobs daily and notify you should a backup fail for any reason.
This malware along with many others like it, rely upon an end-user downloading and/or opening the malicious file. As is always recommended by us, but with added importance from today, users should remain vigilant and treat e-mails with suspicion unless they are certain as to their authenticity, especially if the e-mail contains file attachments.
- If the e-mail is from an untrusted or unknown sender avoid opening any attachments without first verifying their authenticity.
- Always pay close attention to the language used in the e-mail, including any spelling and localisation
- Always ask yourself whether the sender would/should be e-mailing you this information. For example, if you are not in the accounts department would you be expecting to receive invoices/credit notes? Similarly, if you do not or have not used a courier such as FedEx, would you be expecting a shipping notice from them?
- If in any doubt, delete the e-mail. If legitimate the sender will no doubt follow up with you, better a delayed response to a single e-mail than an organisation-wide outage caused by opening the attachment.
You, the user are the best form of defence against this threat. An infection to a network will always start with a user downloading or opening the malicious attachment. Please be extra vigilant during this time of high risk.
Further assistance can be obtained by contacting the IT Helpdesk either by e-mail to firstname.lastname@example.org or by calling 0345 521 0618 (select option 2 for support).