As widely reported in the press over the weekend, a new ransomware threat named “WannaCry” has impacted Windows machines (workstations and servers) around the globe. Due to better Windows update compliance, systems in the US have been less impacted than international systems. This threat only impacts select Windows systems and does not impact Apple iOS systems.
“WannaCry” is initiated when a user responds to a phishing query by opening and executing an attachment to that email. Once it executes, it encrypts files on the affected local computer and shared drives. The user is then asked to pay a ransom to recover the files. To add salt to injury, “WannaCry” malware spreads aggressively by behaving like a worm and attempts to infect other vulnerable unpatched machines on the network. As far as we know, the format of the phishing email is not consistent but the underlying Windows vulnerability only impacts unpatched Windows XP, 7, and 8 systems, as well as Windows Server 2003 and 2008 Editions. Windows 10 PCs patched in March of this year are not affected by this attack.
UMass Boston Windows XP systems are rare and are believed to be offline as they do not show up on ITS Qualys scans. If you have an XP system and would like us to help you upgrade please send an email to ITSecurity@umb.edu and the ITS Security team will respond asap.
Windows 7 & 8 systems which are current in terms of patching updates are not vulnerable. This includes all workstations supported by the ITS KACE workstation management service and some departments which have similar services.
For those systems which are not current in terms of updates and where the user has fallen for the phishing attempt, several actions may occur.
- The system’s hard drive and associated network shared drives may be encrypted by running the attachment. In this case, the user is presented with a message that, until a ‘ransom’ is paid, the user will not be able to access the data on the encrypted drive(s).
NOTE: UMass-wide IT Security Policies prohibit the payment of ransom. Should a user experience a ransom query, he or she should not respond to the query and should immediately contact IT Security by emailing ITSecurity@umb.edu or by calling Wil Khouri, UMass Boston Information Security Officer, at 617-287-6232.
- Additional systems on the UMass Boston network may be scanned from the infected system for the underlying vulnerability and those vulnerable systems may be encrypted and the ransom notification presented to the user(s) of that vulnerable system.
UMass Boston’s best defense to this, and all malware, is an educated and vigilant user community recognizing these threats, reporting them to ITSecurity@umb.edu, and deleting the offending email.