May 16, 2017
Photo - CyberSecurity Malaysia CEO Dato' Dr Amirudin bin Abdul Wahab's keynote included warnings of impending state level and critical infrastructure attacks at Computerworld Malaysia's 11th Security Summit (20 April 2017).
(For recorded incident status updates, see the footer of this article.)
Following reports on 13 May 2017 in various news media of major global ransomware attacks on about 99 countries including the UK's NHS(National Health Service), CyberSecurity Malaysia has issued a national alert.
According to a BBC report, the attack focused on a vulnerability in Microsoft systems originally noted by the US's NSA and given the name EternalBlue.
When contacted earlier this morning (Saturday, 13 May 2017), CyberSecurity Malaysia's chief executive officer Dato' Dr Amirudin Abdul Wahab said to Computerworld Malaysia: "MyCERT has not received any report of infections in Malaysia yet: We are continuing to monitor the situation closely."
Dr Amirudin said the ransomware "uses a vulnerability first revealed to the public as part of a leaked stash of NSA-related documents to infect Windows PCs and encrypt their contents before demanding a ransom for the key to decrypt the encrypted files."
"The co-ordinated attack had managed to infect large numbers of computers across the health service around the world after it was first noticed by security researchers on 12 May 2017, in part due to its ability to spread within networks from PC to PC," he said. Microsoft had issued a patch in March of this year but many computer systems may not have been updated.
Shortly afterwards, the national digital security specialist agency issued an official alert statement on the ransomware attack known as 'WanaCrypt0r 2.0'.
How the exploit works
CyberSecurity Malaysia first singled out ransomware as a major threat vector two years ago including a national alert last year. In 2015, the agency said it was continuing to building up cybersecurity and ransomware preparedness [see - CyberSecurity Malaysia gears up to tackle ransomware].
In a recent exclusive interview [see - Malaysia at risk: CyberSecurity Malaysia chief covers espionage and state level attacks ] and later as keynote speaker at this year's Computerworld Malaysia Security Summit, Dr Amirudin had warned of impending state level and critical infrastructure dangers.
"The ransomware attack used SMB exploit leaked by the Shadow Brokers," Dr Amirudin explained in the official statement. "The malware may spread to vulnerable systems through a security hole in Windows that has been recently patched by Microsoft. In view of this attack, we have recently released an advisory alert to highlight steps and suggestion to address Shadow Brokers exploits."
"Currently, CyberSecurity Malaysia is monitoring the situation of the ransomware attack in Malaysia and will take necessary action by providing technical assistance to the affected organizations and individual users on remediation and preventions through our Cyber999 service'" he added.
What should be done?
"In the meantime, we would like to urge system administrators to patch their systems as soon as possible and keep their users aware of the new ransomware in order to prevent them to open suspicious emails/files," said Dr Amirudin.
Today's alert includes the following recommendations:
System administrators and internet users may take the following preventive measures to protect their computer from ransomware infection:
i. Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline;
ii. Maintain up-to-date anti-virus software;
iii. Keep operating system and software up-to-date regularly with the latest patches;
iv. Do not follow unsolicited web links in email;
v. Be extra careful when opening email attachments;
vi. Follow best and safe practices when browsing the web.
Ransomware is a malicious malware that blocks access to a computer or its data and demands money to release it, added the alert. When a computer is infected, the ransomware typically contacts a central server for the information it needs to activate and then begins encrypting files on the infected computer with that information. Once all the files are encrypted, it posts a message asking for payment to decrypt the files and threatens to destroy the information if it doesn't get paid, often with a timer attached to ramp up the pressure. Most ransomware is spread hidden within Word documents, PDFs and other files normally sent via email, or through a secondary infection on computers already affected by viruses that offer a back door for further attacks.
Ransomware does not only target home users, businesses can also become infected with ransomware which can have negative consequences, including:
- Temporary or permanent loss of sensitive or proprietary information;
- Disruption to regular operations;
- Financial losses incurred to restore systems and files; and
- Potential harm to an organisation's reputation.