Could Ransomware Like WannaCry Hit IBM i?

The recent proliferation of the WannaCry ransomware has changed the face of this growing form of computer threat in for several reasons:

1. WannaCry represents a new evolution of ransomware that not only damages the infected host but also acts as a "worm" that actively attempts to infect any other reachable device. This resulted in exposure of backend systems, including UK hospital computers connected to MRI scanners, as well as infection of advertising billboards and unattended parking kiosks which are often unpatched and running on an outdated—and unsupported—OS.
2. Ties to Lazarus, a suspected elite hacking group from North Korea are now being suggested. If determined to be true, this might be the first example of a widespread cyberattack involving a nation-state. Unlike the recent launch of military missiles in North Korea, a state-sponsored cyber-attack is not likely to elicit a military response.
3. Blame is also being attributed to U.S. intelligence agencies for hoarding the knowledge of hundreds of known exploits, not to mention their dismal failure at preventing highly-classified information about these vulnerabilities from getting into the hands of criminals.  

This discussion won’t specifically focus on WannaCry other than to reiterate that it is an exploit of older versions of Windows using an attack vector that was revealed during a breach of the aforementioned government agencies. It was also quickly patched by Microsoft.

The three-part lesson there is quite simple:

• Stay current on OS versions whenever possible
• Implement security patches as soon as they become available
• Maintain a good anti-virus solution 

Oh, and educate users more formally why they should never click on an unsolicited attachment or a hyperlink and why comprehensive backups are critical.

Instead, we will focus on how this type of attack may impact those running the uniquely-architected IBM i operating system.

Ransomware on IBM i

Argued by many to be immune, we can categorically state that servers running IBM i can indeed be impacted by viruses and malware, including those like WannaCry running on a Windows machine that may have a connection. Any suggestion otherwise is a fallacy.

There are numerous examples of IBM Power Systems servers falling victim to traditional viruses and even ransomware. The Fortra security experts recently aided a customer who discovered almost 250,000 infected files within their IFS!

The good news, and ironically the reason for the misperception, stems from the fact that the IBM i operating system, along with native objects such as RPG programs and Physical Files (PF), are immune to infection. But immunity does not imply that those objects can’t still be impacted via a rename or delete operation. And there are file systems on the server whose objects can be both infected as a carrier or encrypted and held for ransom.

So how do we minimize the risk?

Protecting Your Server

First, I always recommend Powertech Exit Point Manager for IBM i to restrict user (or viral!) access to IFS and the associated file systems. This should be employed in conjunction with strict management over defined shares including never openly sharing the root, and as part of an overall control that should be applied to all network services, including FTP and ODBC.

Next, leverage the QPWFSERVER authorization list to limit who can access the QSYS.lib directory structure through the file server. This activity is rarely required for business purposes and can prevent impact on traditional files. Note that this control is not effective against users that have *ALLOBJ special authority.

On a related note, ensure that profiles don’t have unnecessary access to the file systems or data. People often think that attacks come in anonymously but that’s rarely true. At some point, credentials are being compromised or leveraged so ensuring that security best practices are followed for user connections, password policy, and object permissions is critical.

We also need to ensure that viruses are detected prior to delivering their payload. Unbeknownst to many, IBM i has contained anti-virus enablement features since V5R3. Part of the reason for this lack of awareness is that these controls are not beneficial until a native scan engine, such as the popular Powertech Antivirus for IBM i is purchased and installed.

We cannot comment on whether or not any Fortra customers were impacted by the WannaCry ransomware attack, but we have had customers reach out expressing concern over the attack. Though they weren’t impacted, they saw this as a wake-up call and are now interested in taking action to protect themselves from future threats. Unfortunately it can take attacks like these to get people to take action, but we are happy to see that this did serve as a wake-up call for some already.

If you want to learn more about how viruses and malware can wreak havoc on your IBM i systems, we have several other resources that can help:

• Webinar: The Truth About Viruses on IBM i

• Article: 4 Reasons You Need Native Virus Scanning

• Video Blog: Malware, Ransomware, and Viruses vs Your IBM i Server