Over the weekend the world was shocked by an unprecedented global ransomware cyber-attack dubbed ‘WannaCry’ (also known as WCry, WannaCrypt, WanaCrypt0r or Wanna Decryptor). The ransomware variant infects a computer by exploiting a security vulnerability in old versions of Windows and once it has taken hold, locks down the computer, encrypts all the files and looks for other vulnerable computers within the network to infect. Victims are forced to pay ransom, in Bitcoin, to the cyber attackers for the decryption key or face losing their data forever.
To date WannaCry has affected over 10k organisations and 200k victims across 150 nations around the world and the numbers are rising. Among the worst hit include hospitals in Britain and public utilities companies in Spain and Russia. India, China, South Korea and Japan have all seen an impact from the ransomware epidemic that erupted on Friday and propagated in record time. But despite causing massive disruptions around the globe, the culprits behind the attack have amassed just over $55k, a measly sum given the scope of the attack.
DSA reached out to several industry experts to comment on the outbreak. Many are of the opinion that the threat could be avoided, or at least minimised, with good security hygiene.
Brian Baskin, Threat Researcher at Carbon Black
Brian Baskin, Threat Researcher at Carbon Black commented, “What is truly unique about [WannaCry] is its method of delivery, which is believed to be through the now-known ETERNALBLUE exploit. While the number of incidents are extremely high, many are believed to be a result of poor security posture. Protection against the ETERNALBLUE exploit is fairly basic. The exploit targets servers with SMB network sharing exposed to the Internet, a feature that should be immediately considered for deactivation. Servers are targeted over the standard network ports for the SMB service, all of which can be actively disabled in an organisation’s firewalls.”
Microsoft have since released security patches to fix the SMB (Server Message Block) flaw that is currently being exploited in a bid to help customers that are still using Windows versions that are no longer supported by the company – including Windows Vista, Windows XP, Windows 8, Server 2003 and 2008.
The world was given temporary respite when a British cybersecurity researcher going by the handle MalwareTech stumbled upon a kill switch by reverse-engineering samples of the WannaCry variant. MalwareTech discovered that the ransomware was designed to query an obscure and inactive web address. When he registered and activated the domain, the kill switch took effect, essentially stopping the malware from spreading further. However, the kill switch wasn’t able to salvage devices that were already infected and locked down.
According to MalwareTech’s real-time public botnet tracker, many countries in South East Asia have also been hit by the WannaCry ransomware. Authorities in countries like Malaysia, Indonesia and Singapore are on high alert and have urged individuals and organisations to patch their systems with immediate effect, keep software and antivirus programs up to date, have secure backups and be extra wary of opening suspicious e-mails and files.
Sumit Bansal, Sophos’ Director for ASEAN
“It is imperative that businesses everywhere update their operating systems, their security software and educate their users against phishing attacks. This is a best practice to reduce the risk from any attack”, said Sumit Bansal, Sophos’ Director for ASEAN. He also mentioned that Sophos analysed the attack on Friday and immediately issued a detection update to block all known and potential future variants of the malware, highlighting the importance of having an up-to-date security solution in place.
Zerto’s VP of APJ, Andrew Martin
But having good IT security in place to prevent these attacks from happening is only part of the solution and security patches can only go so far. Zerto’s VP of APJ, Andrew Martin commented, “No IT security system is 100% safe. As this ransomware attack has proved, having good IT security is only half the story. It’s how fast you recover from these attacks. The best strategy is to implement a security solution AND use a disaster recovery solution with ‘Point-In-Time’ recovery, that can wind back and access data right up until the time of the security breach.”
Nick Savvides, Security Advocate, Symantec APJ
Paying ransom, however, should not be an option. “If hit by the ransomware attack, paying criminals is never recommended. Not only does it feed and reward them for their crimes, there is also no guarantee that your files will be released back to you”, warned Nick Savvides, Security Advocate, Symantec APJ. “Instead, backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However, organizations should ensure that back-ups are appropriately protected or stored off-line so that attackers can’t delete them.”
Although the WannaCry attacks may have slowed down and the outbreak appears to have been contained for now, new variants of the ransomware are expected to appear using different domains or even without a kill switch protocol at all as the world braces for the next wave of attack.
What’s certain is that the combination of ransomware and network-based self-propagating worm has proved to be quite potent with the potential to cause far-reaching and disastrous consequences. This could just be the dawn of the next evolution of malware and should serve as a global wakeup call on how vulnerable we could be to cyber-attacks.