A single word headline from which everyone in the IT industry in 2017 should know what we’re going to talk about instantly.
WannaCrypt is a ‘ransomware’ worm that has shut down IT systems in many countries over the past few weeks.
The Role of Windows XP in 2017
The code was stolen from the US National Security Agency (NSA). It takes advantage of a vulnerability in Windows versions from XP upwards. The later supported versions had updates pushed to them before Wannacrypt was released. However, Windows XP is out of support and patches aren’t routinely released for it. Also Windows XP patches aren’t automatically installed to the operating system, unlike the later releases of Windows. This is why Windows XP was the most vulnerable system. The other systems might still have been vulnerable in corporate estates who don’t release patches to their users very quickly, but there was protection available for them in advance of the ‘malware storm’ happening.
The reasons for people to be still using Windows XP are complex and are to do with cost and also the type of system that is in use. For example, XP was in use much longer in embedded systems than mainstream PCs. If one of Sainsburys self-checkout tills falls over, watch it boot up – they run XP! Silverstring aren’t here to provide the IT strategy for businesses, we’re here to protect the data for businesses, whatever they’re using (although there are limits!).
Anyway, what happened to the NSA code, once it was stolen, was that it had further instructions added to it by criminal hackers, looking to make money from infecting systems with the malware. This part of the code is the bit that causes the huge issue when systems are infected. The headline effect is the encryption of data on computers. This makes it totally inaccessible to the users, unless they pay the ransom cost. Once this is paid the hackers provide the key to unlock the encryption: you decrypt, patch the hole in your system that let them in and away you go.
How safe are your backups?
Surely though, if you’re backing up your systems, you’re safe – so corporates and the NHS must have been restoring from backups, right?
Well that depends on the type of backup and what your disaster recovery (DR) plans are. One of the biggest trends in backup, or standby systems over the past few years has been the move away from tape. This is understandable because tape purchase, movement and storage can be big costs to a business. What have people done instead though?
One of the most common changes to estates which need disaster recovery capability is to switch to having two data centres, with replication between them: if one is taken out, you can switch to the other. WannaCrypt appears to have been designed to address that method of protection.
If you back up to tape for disaster recovery (or to the cloud, if you’re progressive) then once the backup, or replication of the backup data is taken, the location of the secondary backup is not connected to the primary site. There is what is referred to as an ‘airgap’. In replicated systems the two locations remain connected continuously. It’s one of the big features of such a system – if one location goes down, the other is there virtually instantly, but there is no airgap.
This fast recovery has led people to cancel their tape backups and stop using expensive cold storage for tape media etc. There were savings to be made there and the risk wasn’t too big!
The problem is that the WannaCrypt hackers knew replicated systems with recovery snapshots being taken might be in use. Once infected, along with encrypting files, WannCrypt also deleted volume snapshots – the data used by replicating systems to provide the recovery. For good measure it also removed the remote access keys and disabled system repair tools, too.
Silverstring have customers who use replication, as part of their data protection landscape – it’s a fantastic tool for ensuring your critical systems can be up and running at all times. We also recognise that if those systems are genuinely critical, you need an airgap between a current set of your data, to ensure it is properly protected.
What should you be thinking about in the wake of Wannacrypt?
Aside from waking up, exposing vulnerabilities and kicking the owners of obsolete systems down the road towards systems that are in support, what effect will the WannaCrypt incident have?
One of the biggest things coming out of the WannaCrypt ransomware incident is that businesses need to consider what constitutes a disaster to them.
Is it the loss of a physical datacentre?
Is it the loss of an operating location?
Is it the loss of just data?
And finally, how quickly can you recover from any of these disasters?
Unless you can answer the above questions, with confidence, now might be a good time to properly consider some of the above. A free initial Disaster Recovery as a Service clinic with one of Silverstring’s consultants will enable you to do that, with data protection experts, who know how to mind the air gap.