On the morning of May 12, 2017, WannaCry entered the cyber security lexicon forever.
Within a day, WannaCry had spread around the world, infecting more than 230,000 computer systems in 150 countries and costing approximately $4 billion in financial losses. It was the most virulent self-spreading malware since 2003 when the Slammer worm infected most of its victims within one hour.
WannaCry also led to widespread service disruptions at Britain’s National Health Service, where about 20,000 appointments got cancelled as hospitals and clinics were forced offline.
When it came to WannaCry alone, Symantec blocked 5.4 billion attacks last year. Meanwhile, the number of ransomware infections grew approximately 40% year-over-year. Oddly enough, despite WannaCry’s global impact, average ransom demands dropped to $522 in 2017, less than half the average of the prior year, according to Symantec’s 2018 Internet Security Threat Report (ISTR).
The data likely reflects the saturation of what has become a popular – and increasingly commoditized - market, not a wholesale retreat by the bad guys. Indeed, the ISTR found that established criminal groups continue to actively deploy ransomware, which remains a dangerous cyber threat.
A Troubling Legacy
When WannaCry struck, it exploited a known weakness in Windows computers. Microsoft had released a fix a few months before the attack and systems administrators could have protected their networks by simply installing the patch.
But there were enough unpatched computers for both WannaCry - and then last year’s other big ransomware attack involving Petya/NotPetya - to create an opening for attacks to create serious disruption. That’s why you hear security experts preaching the virtue of patching to resolve any newly-discovered security vulnerabilities.
Another reason for their concern: Ransomware is no longer the exclusive preserve of run-of-the-mill cyber criminals. Targeted attack groups – often backed by the resources of nation-states - are taking an interest too.
Meanwhile, ransomware features increasingly as cover for decoy attacks. In the past, targeted attack groups might have relied on distributed denial of service (DDoS) attacks to distract incident response teams. Since 2015, though, Symantec has noted more targeted attack groups adopting this same tactic, such as the Sandworm espionage group, which created a new version of its Disakil Trojan disguised as ransomware.
Elsewhere, the success of WannaCry and Petya/NotPetya may be the harbinger of a new generation of self-propagating threats. Both threats were able to self-propagate because they used the EternalBlue exploit, reportedly developed by the U.S. National Security Agency that was leaked by the Shadow Brokers hacker group. As Symantec’s ISTR cautions, the results will likely be closely studied by others attempting to use similar “living off the land” attack techniques in the future to fly under the radar.
All the more reason why organizations need to patch their systems – at a minimum.
“What’s clear is that the window of time companies has to patch is very small and getting smaller,” Kevin Haley, the Director of Product Management for Symantec Security Technology and Response.
Oftentimes, however, companies still find it hard to remain up-to-date. Some, because they run deeply embedded systems that are just too difficult to update. Others because they are complacent and don’t believe they will wind up as targets.
Even victims of major ransomware attacks don’t always respond with the necessary alacrity. Almost a year after the NHS attack, a Parliamentary report on the aftermath found that much work still remains to improve cyber security “for when, and not if, there is another attack.”
Defending Against Ransomware
The best remedy is to adopt a broader, cohesive cyber strategy rather than rely upon a series of tactical one-offs.
“The lesson people tend to learn from these incidents tend to be specific - `We sure need to patch that vulnerability,’ said Haley. “They say that the Pentagon is always prepared to fight the last war but not the next one. I feel that this is often the case in security. But it’s probably better said that the focus should not be on patching that vulnerability, and better put into having a reliable patching strategy.”
New ransomware variants pop up regularly. So, when it comes to plotting measures to reduce your vulnerability to attack, keep the following in mind:
- The easiest, most obvious step is also the most important: Always maintain your security software so that it’s up to date.
- Enable automatic updating whenever possible to devices and applications connected to a network. Keep the organization’s operating system updated – the same goes for any other software apps in use. At the same time, don’t run obsolete hardware or software that no longer has vendor support.
- Close off the specific ports that WannaCry exploited (in this case port 445.)
- Hammer home the message to employees that they must be on guard against unexpected emails, especially if they contain links or file attachments. Also, be extra wary of Microsoft Office email attachments advising recipients to enable macros to view their content.
- Back up important data and make sure that it’s appropriately protected or stored offline so that attackers can’t delete it. This insures the organization against worst-case scenarios. If you have backup copies, you can restore the files after cleaning up the infection.