WannaCry: What IBM i Pros Need To Know

May 17, 2017 Alex Woodie

Last week’s epic WannaCry ransomware attack left hundreds of thousands of people around the world scrambling to recover their data, either by paying the cyber crooks or executing their disaster recovery plan. If you’re an IBM i professional, the question you should be asking yourself is: What if that were me?

Companies in the United States escaped relatively unscathed from the ransomware attack, which exploited a known security vulnerability in the Windows operating system and was based on code that was “weaponized” by the National Security Agency and subsequently stolen by hackers.

There are two main reasons for this. For starters, Americans and American companies tend to have better security than their overseas brethren, experts say. Secondly, the prevalence of old, unsupported or bootlegged copies of Windows is lower in the States than elsewhere (you can thank the Business Software Alliance for that).

While the spread of the WannaCry virus itself is winding down – thanks in part to the quick action of a security researcher who stumbled upon a kill switch written into the virus’s source code – experts are already warning that the next ransomware attack could be even bigger. And considering that the May 12 attack is considered the biggest cyberattack ever, it’s apparent that we’re entering a new era when it comes to cybercrime.

Ransomware Threat To IBM i

As an IBM i professional, you may think that you’re above dealing with the problems of Windows users. But if you think that, you would be wrong. While IBM i itself is not directly susceptible to Windows viruses, its Windows-like Integrated File System (IFS) can store and distribute Windows malware to connected PCs.

And if an IBM i user has his PC’s hard drive mapped into the IFS, then any random piece of malware that lands on the PC can squirrel its way into the IFS and do some damage, including encrypting the data stored in the native IBM i file system, says Robin Tatam, director of security services for HelpSystems.

“There are a couple of angles through which a virus, including ransomware, can potentially impact Power Servers,” he tells IT Jungle. “The virus can spread to the IFS where it can be hosted, expanding the infection outward to connected devices. If malware is activated on a Windows desktop or server with a connection to the IFS, then there is a chance that files in the IFS can be encrypted.

“Ransomware often deletes the original file after encryption,” he continues. “IBM i’s native file system (\QSYS.lib) does not support encrypted files, so that step will fail, but it’s entirely possible that the subsequent delete will succeed. Of course, the deletion event is likely replicated to a backup server eliminating the ability to declare a disaster and perform a role swap.”

WannaCry’s IBM i Impact

It’s not known if WannaCry impacted IBM i shops or encrypted data held on Power Systems-based disks. None of the IBM i security software vendors contacted by IT Jungle for this story knew of any IBM i shops being impacted, or would not disclose it. However, ransomware attacks have been documented on the IBM i server, and the threat is seen by IBM i security experts as increasing.

HelpSystems has seen an uptick in awareness about ransomware since Friday’s WannaCry attack. “Though they weren’t impacted, they saw this as a wake-up call and are now interested in taking action to protect themselves from future threats,” Tatam says. “Unfortunately it can take attacks like these to get people to take action.”

The company recently shared the real-world stories of two IBM i shops that were hit by ransomware. The story starts, as most invariably do, with a user clicking on a malicious link in an email. Unfortunately, the user who clicked on the link had ALLOBJ authority and a mapped drive to a shared folder on the IFS.

The successful phishing attack concluded when the virus encrypted half a million files stored on the IBM i shop’s IFS system during a weekend. The situation grew worse when TPC services went down, nobody could sign on, and batch jobs ended. The company elected not to pay the ransom, and instead executed its disaster recovery plan. Eventually all its data was recovered, but it took nearly a month to do so.

The second victim HelpSystems assisted elected to pay the cyber criminals their blood money instead of rolling back to a previous recovery point. The cost: $200,000 in untraceable Bitcoin, according to the vendor.

Ounces Of Prevention

While having the IFS contents of an IBM i server encrypted by ransomware is a definite possibility, it’s more common to see Windows servers impacted at IBM i shops, says Jim Kandrac, president of UCG Technologies. “iSeries is generally not affected. It’s usually SQL Server or other systems,” he says.

One UCG customer was hit with ransomware on its various secondary Windows servers that fed data into its core IBM i server. “It literally brought a $100 million company down to its knees,” Kandrac says.

Cyber criminals demanded $300 in Bitcoin to decrypt victims’ files as part of the massive WannaCry attack on May 12.

UCG rolled out a ransomware training offering in 2015 through a partnership with KnowBe4, a Tampa, Florida, company that works with the notorious hacker Kevin Mitnick to train employees not to click on email links.

The offering, which involves real-world testing to expose click-happy individuals, is included with UCG’s cloud-based backup services. Interest in the offering started out relatively low, but has been gaining in recent months. “Either people get it, they don’t get it, or something happens,” Kandrac says.

Prepping For Ransomware

Patrick Townsend, the CEO and founder of IBM i encryption specialist Townsend Security Solutions, offered IT Jungle several tips for IBM i shops to deal with the ransomware epidemic.

“First, it is crucial to be sure that you are automatically applying updates to Windows (and Mac!) on your users’ PCs,” Townsend says. “It is one of the highest priority tasks according to many cyber security recommendations. Users access their IBM i applications from their PCs and the PC is the weak link. So fixing this first is critical.”

And don’t overlook the importance of end user education. “Users need to be reminded that they are the first line of defense when it comes to ransomware,” Townsend says. “IBM i customers should have a user education program in place and be sure that all employees are getting and absorbing that education.”

It’s also important to have routine backups of user PCs, he adds. “IBM i customers are good at having routine backups of their IBM i servers, but user PCs often contain important business information,” he says.

Don’t forget to tighten up your IFS security. “Many IBM i customers have mounted IFS drives enabled by default,” Townsend says. “Ransomware sees a mounted IBM i IFS directory as just another target. You can easily lose important information on the IBM i through poor IFS security.”

Last but not least, consider getting a Bitcoin account, which can enable you to pay the ransom in a pinch. “I know that law enforcement recommends not paying ransoms, and I think that is generally good advice,” Townsend says. “But if you are subject to a devastating ransomware attack I think you should have all options available to you.”

In the WannaCry case, cyber thieves were charging $300 in Bitcoin to decrypt hard drives. For an organization like Britain’s National Health Services, which was hit with the ransomware as a result of its use of old Windows XP machines, paying $300 may be preferable to enacting a time-consuming DR plan.

Shore Up IBM i Security

HelpSystems’ Tatam adds a few more pieces of technical advice for properly configuring the security controls in IBM i.

“First, I always recommend that an exit program be assigned to the *FILESVR exit point to restrict user (or viral!) access to IFS and the associated file systems,” he says. “This is part of an overall control that should be applied to all network services, including FTP and ODBC.”

IBM i shops should also leverage the QPWFSERVER authorization list to limit who can access the native \QSYS.lib directory structure through the file server. “This activity is rarely required for business purposes and can prevent impact on traditional files,” he says. “Note that this control is not effective against users that have *ALLOBJ special authority.”

Tatam also advises that profiles don’t include unnecessary access to the file systems or data. “People often think that attacks come in anonymously, but that’s rarely true,” he says. “At some point, credentials are being compromised or leveraged so ensuring that security best practices are followed for user connections, password policy, and object permissions is critical.”

Too many IBM i shops run with their systems basically wide open, which can make it easier for ransomware to spread. Following best security practices for IBM i would drastically shrink the attack surfaces that cyber criminals exploit with ransomware schemes, which was a $1-billion business last year and looks poised to grow dramatically this year.

RELATED STORIES

Assessing The Ransomware Threat On IBM i

Keeping Ransomware Out of the VAULT

State Of IBM i Security: Seven Areas That Demand Attention