The WannaCry ransomware attack that hit globally in May 2017 was one of the most damaging cyberattacks of recent times. Starting on Friday, May 12, with a report of a ransomware attack on the Spanish telecom provider Telefónica, it soon became apparent that the WannaCry ransomware threat was no ordinary ransomware attack. It was spreading fast.
Companies in 150 countries reported infections, including Santander, Deutsche Bank, FedEx and, most concerning, hospitals belonging to the U.K.'s National Health Service (NHS). The NHS was where it had the most impact -- infecting swathes of computers, forcing hospitals to turn away patients and cancel surgeries.
The reason behind the rapid spread of the WannaCry ransomware threat soon became apparent -- it had been combined with an exploit in the Windows Server Message Block (SMB) protocol PCs used to share files. This exploit, known as EternalBlue, had been stolen from a group linked to the National Security Agency and published on an obscure website. Any Windows computer successfully attacked by EternalBlue would grant the hacker complete access to it. In the world of hacking, a remote code execution vulnerability in SMB is the Holy Grail because it allows complete control of nearly every company's IT infrastructure, as long as it can be successfully delivered. The perpetrators behind the WannaCry ransomware threat found the exploit code and linked it to the ransomware, creating the most effective ransomware attack we've seen to date.
It was only a matter of time before this was going to happen. Ransomware has been the preferred weapon of organized cybercrime for a while, so combining it with wormlike behavior that facilitates its spread made a lot of sense. The release of EternalBlue provided just the right tool to do it -- a new vulnerability, with a patch only recently released that affects a protocol in use at corporations everywhere.
Exposing security shortcomings
What the WannaCry ransomware threat highlights is that there is a huge gap in organizations' understanding of why timely patching is so important. It's generally perceived as something that’s largely optional -- that it's fine to accept the risk of having an out-of-date legacy server somewhere on the network because it supports an old application that no one understands. The patch that was missing from the NHS's network had been released by Microsoft two months prior to the ransomware attacks; had the patch been installed on all machines, WannaCry would have barely touched its networks, if at all. According to MalwareBytes Labs, initial infections were made not through phishing emails but by the ransomware's ability to detect public-facing SMB ports and use EternalBlue to gain entry into those networks.
The most surprising factor about the attack is how little damage it did compared with what could have happened. Once the attack was released, it spread and encrypted files in a completely automated fashion. If a hacker had been controlling the infection once it was on the network, the damage could have been a lot worse.
With essentially unfettered access to the NHS network, it would have been easy for hackers to extract patient data and publish it online. Many organizations, and even their IT departments, don't realize that with access to just one computer on the network, it is very simple for hackers to escalate privileges to the highest level and extract whatever data they like. It just requires a high-level user -- usually a service account, such as the one that runs backups or updates the antivirus -- to have logged on at some point recently. When they log on, they leave behind a token that can be used by anyone that has admin access to that computer -- and EternalBlue granted admin access.
My hope is that this attack will serve as a wake-up call to organizations that defending against cyberattacks isn't just about spending money on some flashing boxes and allocating the minimum budget possible to IT upgrades. Being as secure as possible against cyberattacks requires organizations to patch as soon as possible, especially for critical potential issues.
Many organizations delay patching for fear of affecting operational systems, and the patches are either never installed or are delayed. Ask any hacker what's one of the easiest ways to gain complete control of a computer network, and they'll say taking advantage of missing patches. The patches need to be analyzed on a risk-based approach: How critical is this patch, and does it need to be installed outside our usual patching cycle?
Admittedly, Microsoft doesn't help by rating a large number of patches as critical. But an IT department should have someone on its team who is able to accurately assess the risk associated with each patch and alert the team leader if the patch needs to be installed immediately. Companies should also replace old operating systems. Windows XP, for example, is well past its lifecycle. (The vast majority of systems infected by WannaCry ransomware were running Windows 7, according to research from Kaspersky Lab.) Windows 10 was not affected by the spread of the vulnerability.
Additional defenses against ransomware attacks
Organizations need to accept that at some point, ransomware is going to get onto their networks. The key then is how quickly they can recover the data from backups. An established and regularly tested backup and disaster recovery plan is of utmost importance. There should always be at least one copy of the backup that is physically separate from the main computer network so that the ransomware cannot possibly spread to it.
Stopping the spread of the ransomware is not the only problem, though. Initial infections often happen because a user opens a phishing email and clicks on a malicious link or opens a corrupt file, which installs the ransomware and sets the whole chain of events in motion. The most important defense an organization can invest in is user education on phishing attacks. Education needs to be conducted regularly and delivered in a manner that demonstrates to users the real risk. I am quite convinced that the only way to effectively do this is in classroom sessions, with someone who has worked on the offensive side and, therefore, understands how easy these attacks are to accomplish, and who can explain real life examples in simple-to-understand terms.
The WannaCry ransomware threat is likely to be copied; it needs to be the catalyst for organizations to start learning how these attacks work and how to prioritize their cybersecurity budget accordingly. Another similar attack will almost certainly hit soon, and organizations can't rely on their email filters and antivirus tools to stop it. They must put multiple layers of defense in place now.
Is there hope for WannaCry victims?
Are extortionware and ransomware one and the same?
Statistics on recent ransomware growth