As you have undoubtedly heard from the news this past weekend, a ransomware campaign ("WannaCry") is affecting various organizations with hundreds of thousands of infections in over 100 countries worldwide.
ITS pushed out a security patch to tagged and managed computers last month that protects them from this attack. As of Monday morning, ITS has not observed any successful attacks resembling the "WannaCry" ransomware at WCM. We remain vigilant and have been coordinating our response strategy with various peer institutions locally and throughout the country.
Additional information about the attack and how you can protect yourself is provided below
FAQs about WannaCry
What is the WannaCry Attack?
Ransomware is a type of malicious software that blocks access to data until a ransom is paid to unblock it. WannaCry is an exploit based on a National Security Agency tool called EternalBlue which was was leaked by a group called the Shadow Brokers earlier this year. This attack was discovered the morning of May 12, 2017 most notably when hospitals in the United Kingdom were affected. It has spread world-wide affecting more than 200,000 computers.
How is this spreading?
The ITS Security team subscribes to several intelligence and communications feeds to stay abreast of the latest developments. Initial research is uncertain of how the "WannaCry" ransomware is spreading, though reports of attachments in phishing emails are circulating. The ransomware spreads by exploiting a prior vulnerability in all Microsoft Windows operating systems. This vulnerability was present on all versions of Windows, including Windows XP, and Windows servers.
Are we at risk?
Microsoft released a security patch in March, and this was applied to ITS-tagged and managed computers last month protecting them from this attack. Laptops and desktops configured with SCCM will have already received this update; servers maintained by ITS have also been patched. Our next generation anti-virus software, CrowdStrike, is also capable of detecting this variant.
What do we need to do to stay safe?
ITS is continuing to monitor the situation closely. In the coming weeks, we will be strengthening controls around two-factor authentication, monitoring and hardening servers, and ensuring timely deployment of operating system patches across the entire institution. As a precaution, on Friday evening, we instituted a quarantine against password-protected email attachments. Our colleagues at NYP, CUMC, and Cornell Ithaca have instituted similar measures. Quarantined emails will appear in your message digest, but should only be retrieved if you are expecting something from a known sender.
As always, keep the following tips in mind and take the following actions, where appropriate:
- Enroll in two-factor authentication at https://duo.weill.cornell.edu (this can help prevent adversaries from using your CWID to access certain WCM applications if your password is compromised)
- Keep your password a secret, do not share it with anyone
- Be mindful of plugging in flash drives, especially free our found drives
- Be mindful of connecting to public Wi-Fi networks – use the VPN if you must use a public network
- Ensure your WCM computer is tagged, supported, and managed by ITS
- Keep your software and operating systems patched to the latest version and release
- Ensure your home computer is configured with the latest operating system and antivirus software updates