As of Friday 12 May 2017, multiple variants of a ransomware named WannaCry have been spreading globally, affecting hundreds of thousands of users, organizations, including users in the European Union. It is understood that the cyber attack is focussed on Microsoft Windows based operating systems.
Udo HELMBRECHT, Executive Director of ENISA, said “as the European Cybersecurity Agency, we are closely monitoring the situation and working around the clock with our stakeholders to ensure the security of European citizens and businesses, and the stability of the Digital Single Market. We are reporting on the evolution of the attacks to the European Commission and liaising with our partners in the European Union CSIRT Network”.
ENISA and several European Member States are currently working together to assess the situation at European level. A dedicated taskforce has been set up at ENISA to support what is the first ever case of cyber cooperation at EU level in that the EU Standard Operating Procedures, developed by ENISA and the Member States, are currently being used to this end.
What makes this event unusual is that this attack impacted many organisations across the world in short period of time. Recent estimates, at this point in time, suggest that approximately 190,000 computers in over 150 countries have been affected. European Critical infrastructure operators (health, energy, transport, finance and telecoms), manufacturers and service providers have been affected.
This malware also affected computers used for dedicated tasks such as robotics, information display systems or medical scanners. A number of car manufacturing plants in the UK, France, Romania and Slovenia have already indicated that their production lines are affected by this malware.
The ransomware prevents access by encrypting multiple common file types such as documents, images and videos, asks for a ransom and distributes automatically. The key characteristic of this attack is a fast propagation leveraging a known critical vulnerability affecting Microsoft Windows systems, exploited by the ransomware without user interaction.
ENISA understands that at this point in time users who are using the latest version of the windows operating system and have their software up to date are not affected by this attack.
Users affected by ransomware are generally presented with a message on the screen indicating that their computer systems and or files have been blocked and that the files will be unblocked if a ransom is paid.
Payment is often requested to be made using bitcoin as an attempt to effect a money transfer in an anonymous way.
This type of cyber-attack does not generally involve the stealing of personal data.
The compromise can be displayed in a number of ways including
- Not being able to access your files
- Access to certain operational programs being blocked
Analysis of the malware by ENISA, indicates that different encryption keys are generated for different files. In this regard the malware is relatively sophisticated. ENISA’s experts continue to analyse the ransomware to advise Member States in order to raise awareness of this particular case.
Ransomware attacks are generally successful when an internet user opens an email with an attachment containing malware. Other methods involve a web users visiting a compromised web site where activating a link on the web site can result in malware being downloaded onto the user’s computer.
In this particular case the infection vector involves targeting vulnerable computers with identified open ports. No action was required by the user to become infected.
If your systems have not been hit by the ransomware, you are recommended to apply the following actions as soon as possible:
- Back-up your files
- Patch your system with the latest Microsoft’s patch
- Update your Antivirus to the latest version
- Consider adding a rule on your router or firewall to block incoming traffic to ports that are not necessary.
As with all types of security there is no guarantee and users are recommended to follow best practice to minimise the risk of attack.
Users are advised that payment of the ransom does not guarantee that the user will receive the code to decrypt their files or that their computers will be restored to its proper function. Affected users are advised to seek expert assistance and to contact law enforcement personnel to report the crime.
For more information:
Check out ENISA’s technical note: WannaCry Ransomware Outburst