WannaCry, Petya et al: Protecting your organisation from ransomware
The recent global deluge of media reports regarding WannaCry and several other ransomware attacks have served two purposes. Firstly, the speed of proliferation has caused fear, uncertainty and doubt across the world. This has certainly spooked enterprises everywhere by demonstrating the power and reach of a coordinated criminal cyber security campaign.
More importantly, it has put business stakeholders, at all levels, on notice that poor cyber security hygiene and complacency about cyber security controls must be addressed. As businesses participate across global data supply chains, no-one is immune from these sorts of risks; we need to improve our performance. Whether this is a timely warning, resulting from a less than perfectly executed mass attack, or the beginning of a spate of new weaponised vulnerabilities we all need to be prepared. Let’s take a more detailed look at the first of these high-profile assaults – WannaCry.
Ransomware: The impact of WannaCry
On Friday, 12th May 2017, WannaCry shot to prominence across the world’s computer systems. Like an emergent strain of the flu, this was different from the normal ransomware that washes over computer systems world-wide. There are now links being drawn between the recent theft of classified US cyber weapons and the emergence of WannaCry. Not just another clone, it was a pathogen that was exposed to the right blend of people, environment and luck to make it much more threatening. The developers of WannaCry combined several different exploits into something significantly more insidious and, in doing so, they changed the ransomware landscape. WannaCry was a blend of a ransomware variant called WanaCrypt0r that was first spotted a few weeks before, combined with a self-propagating lateral movement exploit technology (known as a worm), which strengthened its virulence dramatically.
Ransomware: The importance of patching
WannaCry used a vulnerability in the Windows SMBv1 protocol meaning that once it got into an organisation, it could spread sideways to other unpatched computer systems. Any Windows based computer that had not been patched was at risk. The SMBv1 vulnerability (MS17-010) was identified and patched by Microsoft on 14th March 2017 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx), so the best advice to stop this ransomware in its tracks was to apply the patch and stay alert to future security advisories because as we’ve seen, further variants and attacks or variants have, or will, emerge.
Since WannaCry started spreading on the Friday afternoon, thousands of private and public sector organisations around the world became infected (including the National Health Service in the UK, see https://www.telegraph.co.uk/news/2017/05/13/nhs-cyber-attack-everything-need-know-biggest-ransomware-offensive/). The Australian Federal Government reported that infections were far less prevalent in Australia. Although the number did increase from initial estimates, in comparison to other places, Australia escaped the worst of the attack (see https://www.abc.net.au/news/2017-05-15/ransomware-attack-to-hit-victims-in-australia-government-says/8526346).
Fortunately, very early on in the attack, the British security researcher MalwareTech (https://www.malwaretech.com), took advantage of a flaw he discovered in WannaCry’s behaviour, whereby it tried to contact an unregistered domain name. By identifying what has been mooted as a built-in kill switch he was able to dramatically slow down the spread of the attack. New variants of WannaCry, reengineered with the kill switch removed would not suffer this same fate.
Ransomware: What can you do to protect yourself from cyber security attacks?
As always, sound risk based decision-making is the cornerstone of a good cyber security strategy and advice should be sought if you are in any doubt. Ransomware is just one of many types of malware causing harm to organisations. The infection vectors (i.e. methods of delivery) are common to most other types – most infections these days are transmitted via email or hijacked websites, with an element of social engineering built into the transmission to feign trust (enticing users to click on malicious attachments or links to malicious sites). You can minimise the risk of being infected by ransomware by putting in place the same set of basic safeguards that you would against any malware in general.
- Keep your systems patched. Make sure all of your security patches have been applied and where something cannot be patched, compensating controls should be considered.
- Backup your files. If you can recover your files and systems after a ransomware attack, then reverting back to a known good state will fix the problem.
- Test your incident response capabilities. There is no use in saying your backup and restore strategy will address the risk of being hit with ransomware if you’ve never tested the efficacy of your recovery methods.
Ransomware: How can real-time cyber security operations help?
If your organisation has a cyber security operations team or you contract a service provider to keep your systems and information secure, Huntsman® created a security advisory containing signatures, indicators of compromise and other remediation advice that may help not only detect an infection, but also heighten your preparedness. For our customers, this advice (and the subsequent updates) gave some warning and defence against this threat and meant reassurance for technical teams and businesses that they could quickly get on the front foot.