21 May

Screenshot of WannaCry Infection

I’ve been asked by a few clients over the last week why they weren’t targeted by the WannaCry Ransomware virus outbreak last week. Why weren’t they affected when more than 200,000 PCs in over 100 countries were encrypted and held to ransom – and are they safe going forward?

First of all I will point out that not a single one of our clients did get infected by the WannaCry Ransomware. The primary reason for this?

You trust us, listen to and act on our recommendations.  

I don’t want this to come across as smug or arrogant but I do want to get across that by working with ReformIT and using the software and hardware that we recommend, you have a very high level of protection against these kinds of attacks.

It was highly publicised that WannaCry utilised an exploit found by the NSA (and stolen from them!) called EternalBlue in Windows XP, Vista, 7 and 8. What wasn’t made very clear was that in order to get to the point where it could utilise that exploit to spread within a local network, it had to find a way into at least one machine first. That initial “attack vector” was in fact an email. So someone somewhere in the NHS and in dozens of other companies around the world (it was completely indiscriminate) opened and clicked on a dodgy link or attachment sent via email. From there the virus infected its first machine and was then able to use the EternalBlue exploit to spread across internal networks infecting multiple machines as it went, traversing VPN links to multiple offices like doctors surgeries for example.

The NHS has been highly criticised for having old, out of date Windows XP machines and it is true that this is a factor. Using out of date software that no longer receives support or updates is a big security risk. There are one or two of you that still have the odd XP machine kicking around and there is normally a very good reason for it, but in the main all of you are running supported and patched versions of Windows. We spent most of the Saturday and Sunday following the outbreak on the Friday double checking that all our clients critical systems were patched and that anti-virus software was doing its job. That is the first reason why you didn’t get WannaCry.

There was something that could have saved the NHS and all the other companies that got WannaCry – and that’s good anti-virus software. I think almost without exception you have all taken our recommendation to use ESET Anti-Virus. Had the NHS used ESET, WannaCry would not have got in even though they were running Windows XP. ESET had in fact updated its software several weeks earlier to prevent anything taking advantage of the EternalBlue exploit, even on unpatched machines. They were one of only 3 anti-virus companies to have done this. The NHS use Sophos Anti-Virus and they were one of the rest that didn’t!

I’ve been selling and recommending ESET for 15 years – your decision to trust that recommendation is the second reason you didn’t get WannaCry.

On our recommendation, many of you have taken the decision to install Cisco Meraki firewalls with the additional Advanced Security features that brings to the gateway of your network. Within 90 minutes of the virus being detected on Friday, Cisco had sent an update to your firewall to block it. Their Advanced Malware Protection grid had done its job detecting the outbreak and quickly reacting to it. Effective IT Security is about having layers of protection and those of you using Cisco Meraki firewalls and ESET had at least two very effective layers of defence last week. In fact you had better security than the NHS, Renault, Telefonica and FedEx to name but a few very large organisations who got hit. This is the 3rd reason you didn’t get WannaCry.

Also on our recommendation, many of you have moved over to Microsoft Office 365 for email. This is a very smart move when it comes to email security as Microsoft respond and react very quickly to outbreaks like this. They can spot hundreds or thousands of dodgy emails flooding in to their systems very quickly and often remove them before you even see one. Managing tens of millions of mailboxes has significant advantages and the visibility that gives Microsoft is a huge advantage to those of you using their systems. This would be the 4th reason you didn’t get WannaCry.

I also believe that our clients are a very intelligent bunch and that the vast majority of you can spot a dodgy email these days. The final line of defence is the human being that decides not to click on the dodgy email or its attachment in the first place. If you did see one on Friday (or Monday when you came back in) and just hit Delete – well done. That was the 5th reason you didn’t get WannaCry.

Now every incident like this is a chance to learn and I have found that we can do things better going forward. Whilst the vast majority of our clients systems were patched, some were not completely up to date until we got to them over that weekend and we are improving our systems to ensure that process is more robust going forward.

It is also worth saying that this a probably a very dangerous post to write – I am tempting fate! No IT security system is 100% safe and regardless of how many layers of defence you have, something can always find a way through. We and our security partners like ESET, Microsoft and Cisco have to get it right all the time, an attacker only has to get it right once.

However last weekend there were no tears and WannaCry was defeated by every single ReformIT client.

Thank you for working with us – I think we make a pretty good team!

Neil Smith

Director

ReformIT

Useful links relating to above:

ESET Business Software

Cisco Meraki Security Appliance

Office 365 Anti Malware Features