WannaCry me a river? Ransomware attack reveals glaring gaps in infosec

15 May 2017

Image: dimid_86/Shutterstock

The world has been reeling from the effects of the WannaCry malware attack, with 200,000 instances in 150 countries. What do we know and what can we learn?

The WannaCry ransomware attack took the world by surprise, but reminded us all of fundamental lessons in cybersecurity. Consider it an infosec masterclass.

With the malware causing havoc over the weekend, there were fears that once unsuspecting workers came into work this morning (15 May 2017), a new wave of attacks would be unleashed.

The NHS in the UK has become the poster-child victim of the cyberattack but, in truth, thousands of organisations were caught with their guard down.

So, what do we know so far?

The extent of the attack is staggering

Europol says that 200,000 computers in 150 countries have been affected by WannaCry, and experts are warning that a fresh wave of the cyberattack is likely to emerge in the weeks and months ahead.

It may not have been a phishing attack

Even though it has been suggested that the WannaCry ransomware was distributed by phishing emails, no one knows for sure. The other theory is the malware was spread by SMB (server message block), a protocol used by Windows machines to communicate with file servers over a network. “Phishing remains the most common vector for ransomware, but does not yet appear to have been used in this instance,” said Pat Moran, PwC cyber leader.

You will know if you are a victim

WannaCry me a river: Everything you need to know and ought to have known

Image: WannaCry

Oh, you will know. When you turn on your machine, you will be greeted by a screen that tells you your files have been encrypted and that you have three days to pay a $300 ransom in bitcoin, before it doubles to $600. If you don’t pay by the end of the week, then the ransomware threatens to delete your files altogether.

What can you do about it?

Nothing. Unless you have your files backed up, there is little you can do, except learn from the experience. Keep your operating systems up to date, make sure your IT people are keeping backups and applying patches, and never, ever open suspicious emails or attachments.

Ageing systems and failure to update are as much to blame as the virus itself

Microsoft has issued patches for its older operating systems including Windows XP, Windows 8 and Windows Server 2003, with Windows XP machines the most vulnerable. Just why anyone would still be running computers that Microsoft stopped supporting in 2014 is a mystery. But the reality is that some organisations are still using Windows XP and others have failed to apply the latest updates or patches to their machines. Some medical machines have the XP operating system baked in, such as MRI scanners, which makes the situation all the scarier for hospitals. Another reality is that some organisations or individuals simply don’t keep their files backed up.

Microsoft is furious and wants governments to stop stockpiling weapons of cyber destruction

Yes, Microsoft has a point. WannaCry is believed to have originated as a cyberattack weapon that was stolen and then posted online by a group calling itself the Shadow Brokers. This isn’t the first time that something like this has happened. A decade ago, a virus weapon developed by the US and Israel called Stuxnet went rogue and began attacking innocent utility companies.

It has a kill switch, but for how long?

The majority of copies of the WanaCrypt0r 2.0 ransomware identified to date contain a ‘kill switch’ domain. If the malware is able to successfully connect to this domain, it will not encrypt any files. The two known ‘kill switch’ domains have been registered by security researchers. PwC warns that organisations should not block these domains and should ensure that their security providers do the same. At least one copy of the ransomware has been edited to bypass the ‘kill switch’ functionality.

Ransomware has been with us a long time, and the problem is getting worse

According to Cisco’s Annual Security Report 2016, cyberattacks continue to be a profitable business for cyber-criminals, who are refining the way they attack back-end infrastructure. Last year, Cisco, with the help of Level 3 Threat Research and Limestone Networks, identified the largest Angler exploit kit operation in the US, which targeted 90,000 victims every day and generated tens of millions of dollars a year by demanding ransoms off victims. Cisco estimates that, currently, 9,515 users in the US are paying ransoms every month, amounting to an annual revenue of $34m for certain cybercrime gangs.

Around 20pc of Irish businesses fell victim to ransomware attacks last year. However, despite these attacks, 93pc of 137 senior IT decision-makers in Irish businesses have said that they would never pay a ransom to hackers, according to a survey carried out by DataSolutions and TechPro.

The hackers behind WannaCry haven’t made much money yet

While merely a small comfort, it is believed that the hackers have only amassed a modest sum of $26,000 from people paying up, and haven’t yet tried to withdraw their funds, possibly for fear of being traced. This is despite all the damage they are causing. Security firm RedSocks has traced the transactions to three bitcoin payment addresses. While bitcoin transactions can be monitored publicly in a blockchain ledger, owners of the accounts cannot be so easily identified.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com