Lessons learned from the WannaCry ransomware attacks

cybersecurity DXC Blogs

While the waves of ransomware infections known as “WannaCry” have settled down, with a few scattered new infections reported in Asia (notably in South Korea and Taiwan), we can all learn an important lesson from the attacks. Unfortunately that lesson will be lost on many, if not most, organizations too quickly.

Throughout the day Friday, May 12, malware managed to infect a reported 230,000 systems in 150 countries. Many healthcare organizations were hit, but the attack affected all types of organizations in both the public and private sectors.

The primary way WannaCry spreads is through phishing emails and a self-propagating worm. When it strikes, the malware infects systems, encrypts them and then demands a ransom payment in Bitcoin.

This is the first time we’ve seen ransomware spread this rapidly and broadly, probably because it successfully couples (as far as I’m aware, for the first time) ransomware and worm capabilities The spread was also boosted by the rather large number of Internet-connected Windows XP systems still running. Microsoft stopped supporting XP with patches some time ago.

From the perspective of the attackers, the malware was wildly successful, managing to infect organizations such as the National Health Service in Britain and a number of airlines and telecommunications providers.

The story behind the WannaCry malware runs deeper than most cyber attacks. The code is reportedly based on a trove of exploits stolen from the National Security Agency (NSA). These threats, specifically the exploit known as ExternalBlue, which attacks a Microsoft Windows vulnerability described in this Microsoft Security Bulletin MS17-010, were released earlier this year. In a rare move, as a result of this attack, Microsoft decided to provide a Windows XP patch to users.

So what is the lesson here?

The lesson is that the advice we’ve heard from security professionals really does go a long way to preventing these attacks from being successful. And they are preventable.

What’s required to avoid this type of attack isn’t new:

  • Patch at-risk systems as vendors issue patches
  • Don’t run software that is no longer supported by the manufacturer
  • Train staff not to click on links and attachments
  • Have basic security controls in place
  • If a system doesn’t need to be connected to the Internet, restrict its access.
  • Back up systems so that they can be reconstituted to known-good states much more readily

Patching in certain environments, such as healthcare, can be challenging. These organizations tend to be understaffed when it comes to IT, have legacy system challenges, as well as contractual issues with vendors when it comes to updating equipment. And when it comes to deploying patches in environments where machine malfunction literally means life or death, patches must be thoroughly tested to ensure uptime.

However, there are ways to mitigate the risk to unpatched systems. Organizations can white-list the apps that can run on those systems, limit network access and take other reasonable steps. Following these broad guidelines will help any organization run a more resilient environment and avoid attacks like WannaCry.

And now’s the time to start. If history is any guide, we’ll see copycat attempts in the week and months ahead. Once a tactic has proven itself to be successful, it’s copied and used repeatedly. The threat won’t stop at new versions of WannaCry (which are already popping up) but with entirely new strains of malware that couple “wormable” exploits with ransomware attacks.

Time to take heed of all of that good advice our security experts have been sharing for decades now.

RELATED LINKS

Leaked U.S. cybersecurity order focuses on workforce development

Confronting the cybersecurity challenge in the public sector

Ransomware attacks strike Elasticsearch servers hard

Comments

  1. Khaled Soubani says:

    These are good recommendations. I would like to also add that the biggest known invitation for attacks is outdated operating systems and current ones that are not regularly updated. So, after this attack, IT departments should not have any trouble convincing their administration of upgrading the os.

    Second, and more specific to ransomware attacks that depend on data encryption, I doubt that enterprise or even smb users really need to have data encryption capabilities. Most companies should be discouraging employee encryption of their data. By complicating disk encryption (either by disabling the commands or demanding additional authentication) at the os level, similar ransomware attacks won’t even be possible. For network os, any data encryption should shift to the IT department where it is possible to better train employees on system security.

    Like

  2. Khaled Soubani says:

    … Network users who have to be able to encrypt documents, can always copy them to a designated directory. The network administrator should be able to handle encryption requests, like periodically encrypting the contents of the directory.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: