WannaCry

Lessons from WannaCry: How to avoid the next ransomware epidemic

The first hints of the fast-spreading WannaCry attack appeared on May 11, when traffic spiked to a network port used by the worm to exploit a vulnerable service in the ransomware attack. 

The malware, which infected Windows systems via a flaw published as part of the leaked espionage toolset from the U.S. National Security Agency (NSA), quickly infected tens of thousands of systems—including those at the UK's National Health Service, Spain's Telefonica, and France's Renault—encrypting data and posting a ransom note demanding approximately $300 per system infected. In five days, nearly 400,000 Internet addresses showed signs of having systems affected.

The attack was blunted by serendipity: A researcher reserved a domain found inside the malware—a domain that acted as a kill code. Copycats have emerged, however, and security experts believe the attack will continue to evolve.

For companies that do not want to rely on serendipity in the future, the key will be to execute well on their security plans, said Andrii Bezverkhiy, founder and CEO of SOC Prime, a software company that fuses data science with practical security expertise. 

“Do the basics and do them well. Even if you are an organization that does automated patching, you could have missed a few.”—Andrii Bezverkhiy, SOC Prime

Mary Karnes Writz, director of product management at HPE Software's ArcSight who, prior to her current role, conducted threat hunting, said this attack is interesting because it’s the first time ransomware has propagated as a worm. Also, as a traditionally internal attack, it should be difficult for the malware to cross firewalls from company to company, and yet that is happening, she said.

To be prepared for the next time attackers marry a destructive program with a recent vulnerability and wormlike propagation, security experts say companies and their executives should focus on five areas.

Intro to SIEM: Get up to speed quickly

1. Know your assets

Even a company committed to security may not know every asset in its organization. Regularly scanning the network to find connected systems and evaluate those systems' security is crucial. Regular asset discovery helps a company find shadow IT that may pose a weak link in its security, but it also helps firms focus on their most important assets, said Haiyan Song, a senior vice president at Splunk.

We understand that organizations cannot equally take care of every asset, so they need to understand what assets they have and what assets are at risk, Song said.

“[They] really need to use a risk-based approach to really prioritize their IT work and their security work.”—Haiyan Song, Splunk

2. Get rid of—or heavily protect—legacy systems

Because Windows XP has reached the end of its lifetime, Microsoft did not originally create a patch for the 16-year-old operating system. Yet more than 54% of companies have Windows XP running inside their networks, on an average of 14% of systems, said the IT services firm Spiceworks. Legacy systems that fall outside of patch programs are a massive security weakness. "It is just the aging infrastructure of a lot of organizations—they still have Windows XP in their systems," Song said.

Such systems need to be identified and replaced—or, at the very least, surrounded by extra rings of security, said Javvad Malik, a security advocate with AlienVault.

“If a company cannot get upgrades or patches for a system, they need to look at other mitigating controls. You want to know where these systems are and make sure that they are not accessible from the Internet.”—Javvad Malik, AlienVault

3. Patching is too important to do wrong

The ETERNALBLUE exploit for a flaw in Microsoft Windows' server message block (SMB) protocol was patched in March, but many companies had not updated their systems, even after files published by the ShadowBroker hacking group included the exploit. The issue underscores the importance of focusing on patching and verifying patch levels with a vulnerability-management system.

“A lot of companies with mature security teams are patched, but it takes time to patch, and older Windows systems are not easily patchable. So even an organization that proactively does patch management still might miss a system and have an unpatched system.”—Andrii Bezverkhiy, SOC Prime

4. Make lateral movement difficult

Like previous worms, such as Nimda and Conficker, WannaCry is a pernicious threat once it gets inside your network. For companies that put their focus on the security of the perimeter, WannaCry is a wake-up call. "When the device is infected, it starts to discover other vulnerable devices with two scans," said SOC Prime's Bezverkhiy. "And on the new host it will start encrypting and then start spreading right away."

By cordoning off systems from one another—say, the accounting department from the clinic in a hospital—organizations can protect their business, even in the event that some systems are compromised, said AlienVault's Malik.

“If you segregate your appointment system from your X-ray or highly critical medical systems, then if the appointment system got hacked, at least those systems would have been isolated regardless of if they were running an old or unpatched system.”—Javvad Malik

5. Back up more than data

Finally, while ransomware is a direct threat to data, companies should do more than back up their data. Recovering from backups is very time-consuming—so much so that many organizations have paid the ransom for decryption keys to avoid a costly recovery.

Companies should make sure that their backup data is available through backup processes—thus allowing operations to switch with minimal downtime. Such measures are necessary because a company cannot know if it will always catch an attack, said Juan Guerrero Saade, a senior security researcher with security firm Kaspersky Lab.

“We put a lot of effort into defeating ransomware as a whole, but you cannot count on knowing the ransomware before it starts encrypting things.”—Juan Guerrero Saade, Kaspersky Lab

Be prepared for the changing threat landscape

These are good steps to start down the road to being more secure, but threats are changing and companies need to be prepared for that. WannaCry is already undergoing fast iterations, with the original attackers—as well as copycats—adapting to defenders' methods. As of Sunday, variants that do not have a kill switch have been encountered by researchers, some of whom have been calling it WannaCry 2.0, even though there are no other major changes. 

"The second variation that appeared during the weekend appears to have been patched to remove the kill switch," Kaspersky Lab researchers said on Monday. "This variant does not appear to be spreading, possibly due to a bug."

One side effect of the lack of a kill switch is that good estimates of the number of affected devices—or more accurately, the number of IP addresses behind which an infected device is communicating—are no longer available.

“Security cannot be static.”—Haiyan Song, Splunk

WannaCry is a wake-up call for enterprises

WannaCry highlights that security matters more than ever. While the criminals behind the ransomware have only made more than $70,000 so far, according to a group tracking the bitcoin payments, companies in more than 100 countries are cleaning up after the ransomware, costing them millions of dollars. Some estimates have put the productivity cost of the ransomware incident at more than $10 billion.

To start on the path toward preparing for the next attack, corporate information-security teams need to have executive support. "Everyone wants to do security, but they are not certain what that means," said Malik. "It takes a change at the top, the executives, to make a commitment to patching and better security."

HPE's Karnes Writz said the attack also serves as a wake-up on corporate policy:

“This attack makes companies consider, possibly for the first time, their policy on ransomware—whether or not to pay.”

Intro to SIEM: Get up to speed quickly
Topics: Security