WannaCry Commentaries - Part 1

1.) Acronis

Nikolay Grebennikov,VP of Engineering

“People, and businesses hear ‘ransomware’ and think such an attack can’t happen to them. The fact is that it can, and in fact, just today – Telefonica was hit by a very aggressive version of the Wcry ransomware. 47 percent of businesses were under ransomware attacks last year and that’s growing. Just look at Telefonica for the latest proof. The real question businesses, hospitals and telcos should be asking themselves is how can I protect myself from a ransomware attack that is seemingly inevitable. The answer – a reliable backup solution that includes active protection against ransomware attacks. Acronis Backup 12 Advanced and Acronis Active Protection can prevent damage from such ransomware and this solution is available for businesses today.”

“47% of businesses were under ransomware attacks last year. As witnessed by Telefonica and recent bank attacks in Spain and the UK, the threat is growing. Shutting down computers is one short-term solution but won’t help. Only an integrated solution, combining of backup (passive) and proactive security (active) technologies, working together in one product, provides data recovery in any situation. With such sophisticated ransomware, you can’t have limitations on size of the files, number of files.”

“Thankfully for companies, that solution exists today with Acronis Active Protection, which actually detected this virus and is able to stop it. Back up procedures is must have business continuity management in companies who want to be protected.”

2.) Commvault

Matthew Johnston, Area Vice President, ASEAN & Korea, Commvault

Based on our experiences working with companies around the world, we've developed a list of best practices to protect and recover from ransomware attacks.
  • Develop a program that covers all your data needs. You must identify where your critical data is stored, determine your workflows and systems used to handle data, assess data risks, apply security controls, and plan for evolving threats. If it is not protected, it cannot be recovered.
  • Use proven data protection technologies. You need solutions that detect and notify of potential attacks, leverage external CERT groups, identify and prevent infection, maintain a 'GOLD' image of systems and configurations, maintain a comprehensive backup strategy and provide a means to monitor effectiveness.
  • Employ Backup and Data Recovery (DR) processes. Don’t rely solely on snapshots or replica backup. Your backup process data could just as easily be encrypted and corrupted if it is not stored in a secure way where a ransomware attack. If your process or vendors don’t offer ransomware protection that addresses the proper way to store your data, then your backup plan is at major risk!
  • Educate employees on the dangers of ransomware and how to secure endpoints. Ransomware invasions often originate through endpoints, such as desktop computers, laptops, smart phones, tablets or fringe computing resources. Educating your staff is key. The security off an organization is only as strong as your weakest link. Train your staff on all data recovery and security best practices to get endpoint data protected within your Information Security Program. The strength of an organization lies in your weakest link, with most breaches arising from simple human error.
  • Assess and update any business applications
    Most organizations suffer from key business applications that run on older, sometimes unsupported and unpatchable operating systems, which lack the necessary security updates to stop the spread of potential attacks. To combat this, businesses must invest in a data platform that covers core enterprise, private and public cloud environments and extends to endpoint protection. One that can store immutable, up-to-date copies of all these environments to ensure the ability to recover rapidly - should disaster strike.
Full article.

3.) Kaspersky

3.1) Kaspersky Lab’s statement on possible connections between WannaCry and Lazarus Group

On Monday, May 15, a security researcher from Google posted an artifact on Twitter potentially pointing at a connection between the WannaCry ransomware attacks that recently hit thousands of organizations and private users around the world, and the malware attributed to the infamous Lazarus hacking group, responsible for a series of devastating attacks against government organizations, media and financial institutions. The largest operations linked to the Lazarus group include: the attacks against Sony Pictures in 2014, the Central Bank of Bangladesh cyber heist in 2016 and asubsequent series of similar attacks continued in 2017.

The Google researcher pointed at a WannaCry malware sample which appeared in the wild in February 2017, two months before the recent wave of attacks. Kaspersky Lab' GReAT researchers analyzed this information, identified and confirmed clear code similarities between the malware sample highlighted by the Google researcher and the malware samples used by the Lazarus group in 2015 attacks.

According to Kaspersky Lab researchers, the similarity of course could be a false flag operation. However, the analysis of the February sample and comparison to WannaCry samples used in recent attacks shows that the code which points at the Lazarus group was removed from the WannaCry malware used in the attacks started last Friday. This can be an attempt to cover traces conducted by orchestrators of the WannaCry campaign.

Although this similarity alone doesn't allow proof of a strong connection between the WannaCry ransomware and the Lazarus Group, it can potentially lead to new ones which would shed light on the WannaCry origin which to the moment remains a mystery.

Full article.


On Wednesday, 17th May, Kaspersky Lab is teaming up with Comae Technologies to present an emergency webinar for businesses to help them understand and defend against the WannaCry ransomware. The malware has primarily affected business networks, and has claimed victims around the world in a wide range of industries. Juan Andres Guerrero-Saade, senior security researcher in Kaspersky Lab’s Global Research and Analysis Team, will be joined by Matt Suiche from Comae Technologies to present the very latest information on how the ransomware breaches defenses and the subsequent stages of attack. They will independently explain how organizations can determine if they have been infected and the critical actions they need to take to secure networks and endpoints against this threat.

The webinar will take place on Wednesday, 17 May, at 10.00 PM – Malaysian Time

To join the webinar please click this link.

4.) Pikom

In view of the alarming spread of the WannaCry Ransomware cyber attack, the National ICT Association of Malaysia (PIKOM) is advising all to stay vigilant and exercise the necessary precautions against being victims of this malicious security risk.

To date, PIKOM has neither received any reports/alerts from our 1,000 plus members that they have been hit by WannaCry Ransomware, nor have any members reported that their clients have been issued a ransom.

Chin Chee Seong, PIKOM Chairman

“A company should plan a good cyber security defence which will involve a proper business risk assessment; installation of appropriate IT security policy and procedures; deploying the right security technologies; ensuring compliance, constantly monitoring the environment, educating the employees, alerting and responding to security incidents quickly; and conducting forensic and root cause investigation. Malaysian companies cannot take a 'wait and see' attitude any more,” said Chin Chee Seong, PIKOM Chairman.


By Doris Li, Marketing, AOMEI.

At AOMEI, we recommends consumers the AOMEI Backupper Free software.

It would be a great helper for all users. They can backup all their important files, system or entire disk to a safe external hard disk to ensure their data’s secure. What is more, even if computer has already been infected with Ransomware, they can still use it to create image files in System Backup, Disk Backup, Partition Backup not only to prevent from more serious data loss caused by disoperation or a new mutation of Ransomware, but also “froze” the countdown of Ransomware.

6.) Sophos

It was a difficult Friday for many organizations, thanks to the fast-spreading Wanna Decrypter 2.0 ransomware that started its assault against hospitals across the UK before spilling across the globe.

The attack appears to have exploited a Windows vulnerability Microsoft released a patch for in March. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.

Global IT security firm Sophos would like to share the following regarding the Wanna Decrypter 2.0 ransomware attacks.

Sophos has issued an update to protect customers against the Wanna Decrypter 2.0 Ransomware that affected businesses on Friday, May 12. Sophos can confirm that Intercept X will actively block infection and remediation steps will be required to remove the malicious code. Please visit the Knowledge Base Article (KBA) at https://community.sophos.co m/kb/en-us/126733 for details. This KBA will be updated with further details, and we recommend you check back regularly.

Sophos has also published a story with advice on how to stop ransomware on Naked Security here: https://nakedsecurity.so phos.com/2017/05/12/wanna-decr ypter-2-0-ransomware-attack-wh at-you-need-to-know/