Friday, May 12, 2017 will forever be an omninous day for IT professionals across the the world. On that day, an unprecedented number of ransomware attacks swept across the globe, crippling Britain's National Health Service and affecting more than 200,000 people in over 150 countries.
According to Europol, those numbers will likely increase as many businesses may not have yet reported attacks. As the final tally increases and IT teams are repairing the damage, there are some key takeaways to help prevent your organization from being a victim of future ransomware attacks. The first thing to understand is how this particular piece of ransomware spread so fast and was so effective.
WannaCry is a type of malware called ransomware, which locks the data of a victim's computer and holds it unless a ransom is paid. Ransomware is typically distributed via email phishing attacks, whereby users open an attachment or click on a link that gives the ransomware an opening to breach the user's system. WannaCry took advantage of a hacking tool surreptitiously developed by the National Security Agency to target a specific vulnerability in Windows operating systems that made it more viral than previous ransomware attacks. The exploit that WannaCry used is called EternalBlue, which targeted a security loophole in Windows operating systems that allows malicious code (in this case ransomware) to spread through existing file sharing structures without permission from users. That meant from one remote computer, an entire company can be shut down. And if files are shared with other companies, WannaCry could spread through those files as well.
The loophole the EternalBlue exploit took advantage was addressed in a security update by Windows before Friday's attacks. Yet countless of victims were affected because they were using older Windows systems that were not part of any automatic update. The problem was so severe that Windows broke from tradition and offered a free security patch for older systems like Windows XP. Ironically, it's the larger organizations that are often at the most risk, because updating hundreds of PC's can have higher costs associated than doing a custom patch to address any security issues. This gets even trickier after years of customizations build up. The result is thousands of companies still running Windows 7 and Internet Explorer 8, leaving themselves open to attacks like WannaCry. Future considerations of software updates (versus patches) will now have to take into consideration the risk mitigation of another large scale attack. This is especially true since attacks like WannaCry are not over. A new variant has already popped up called Uiwix, which circumvents the "kill switch" that helped to slow down WannaCry's spread. If updating your system isn't an option, then the vehicle the exploit uses can be disabled.
Ransomware is becoming a go-to choice for hackers because it's an easier way to extract money from a hack than trying to sell PHI on the black market. It also relies heavily on the weakest part of any cybersecurity plan - people. One of the most vital parts of any plan is to train your staff on how to avoid falling for phishing and spam emails that contain malware. This includes recognizing what is a suspicious email and never downloading attachments or clicking on links in those emails. Having a good spam filter will help reduce some of the risks, but a solid training plan will further reduce potential breaches. One of the most important parts of any plan is to train staff on what to do if they notice anything suspicious. It's not enough to avoid the email, but be sure there's a system to report emails and any breaches which limits the stigma of falling for a phishing email. The worst thing that could happen is a staff member falls for the phishing attack and waits to take action because they are worried about looking foolish.
This is the multi-million dollar question the entire cybersecurity community is asking themselves. And the answer is probably not. But that doesn't mean that it's doom and gloom. While other attacks can and will happen, the silver lining is there are lots of things that can be done to drastically limit the impact of a ransomware attack. WannaCry showed the world that it's never too early to begin maintaining and executing a cybersecurity plan.