WannaCry, one year on – are you sure you’re secure?

May 12 is a significant date in the cybersecurity world. It marks the anniversary of WannaCry, the biggest ransomware attack to date.  It spread at unprecedented speed globally, infecting over 200,000 business and personal computers across 150 countries in just three days, and leaving chaos in its wake.

The global financial and economic losses resulting from the attack range are estimated to be in the range of hundreds of millions, to billions of dollars. The UK’s National Health Service (NHS) was hit particularly hard:  over a third of NHS organizations were disrupted across the UK, resulting in the cancellation of nearly 20,000 hospital appointments and operations.

WannaCry was able to spread so rapidly because it exploited the Windows vulnerability MS17-010, known as the ‘EternalBlue’ exploit, which enabled attackers to execute code remotely on PCs. Microsoft had actually released a patch for the vulnerability in March 2017 — eight weeks before the WannaCry attack — yet the ransomware still managed to cause widespread damage because many organizations had not applied the patch their systems, and did not have appropriate security measures in place to block the ransomware.

And despite the worldwide disruption caused by WannaCry, many organizations still did not take the simple step of patching their systems.  Just six weeks later, in June 2017, the NotPetya ransomware strain used the same EternalBlue exploit to attack Ukrainian critical infrastructure systems.

What’s even more surprising is that these two aggressive ransomware variants are still causing problems for businesses:  in March 2018, Boeing was reported to have been hit by WannaCry.  And New research from AV vendor, Avast, shows that 29% of Windows-based PCs globally are still not patched against EternalBlue – leaving them exposed to further exploits.

A patch in time …

So what should organizations do to mitigate their risk of falling victim to a damaging ransomware attack?  Well first and foremost is to ensure that the latest software patches are always applied to systems, as quickly as possible.  Ransomware can be sophisticated in many ways, but it’s also fairly dumb that all it needs is to be able to exploit a basic vulnerability in order to breach an organization.  It relies on people skipping basic security tasks.

If those responsible for the City of Atlanta’s IT had applied the latest Windows patches before, or following the WannaCry attack last year, it probably wouldn’t have fallen victim to the SamSam ransomware attack which crippled its systems in March of this year (the patch for that vulnerability were released at the same time as those for WannaCry).

So patching is critical.  Then, it’s a question of using the security best practices that can prevent, or dramatically limit the impact of all types of ransomware attacks.  These are covered in detail here, but to recap, they include:

• Network segmentation to contain infections and stop them spreading laterally across the network and accessing network shares which store sensitive data.
• Backup regularly and take data offline – data that isn’t constantly in use should be taken off-line or separated and stored on another device. Spreading data around will minimize the potential impact of an attack
• Secure all devices– ensure that anti-malware/virus and intrusion prevention solutions are up to date and in use across your systems.
• Keep tabs on critical processes – continuously monitor critical business processes to detect any vulnerabilities, risks, network connectivity problems, or compliance violations. If any security issues are flagged, prioritize remediation so that problems are immediately addressed.
• Link SIEM and vulnerability scanner data to business processes –by tying vulnerabilities to the relevant business processes, you can proactively identify and fix problems – such as patching an out of date server – before ransomware can impact your critical business processes. Likewise, by identifying suspicious activity through your SIEM logs and tying it to the relevant business processes, you can investigate, map and neutralize an attack before any damage is done.

As the philosopher George Santayana wrote, ‘Those who cannot remember the past are condemned to repeat it.’  Remembering WannaCry and the damage it did just a year ago – and how easy it would have been to prevent much of that damage –will help ensure that your organization is better prepared for the next ransomware attack.