One year on from WannaCry: have lessons been learned?
A little over a year ago hundreds of thousands of computers around the world were hit by a mysterious malware outbreak. For many, it was their first experience of ransomware – malicious code designed to lock users out of their machines unless a fee is paid. It caused chaos across the globe, including in the NHS, where an estimated 19,000 appointments and operations were cancelled.
But the question is, have organisations learned anything from the outbreak? Are they better prepared now to deal with the impact of a major global attack like WannaCry? And does it even matter, or have the bad guys already moved on?
A cautionary tale
The attack was ultimately blamed on North Korean operatives, most likely looking to make money for the isolated regime and cause some pain for the West along the way. They were largely thwarted by the discovery of a kill switch in the code which halted the spread of the threat. It also landed on a Friday afternoon in spring, meaning fewer people at work and a whole weekend ahead for IT admins to recover from the attack. However, the ransomware itself highlighted one major weakness among organisations which security experts have been warning about for years: unpatched vulnerabilities.
In the case of WannaCry, it was, ironically enough, an NSA-developed exploit leaked by Russian state-sponsored hackers — EternalBlue. This enabled the ransomware to infect machines via a Windows SMB vulnerability for which a patch had been released in March. Two months later, all hell broke loose. The National Audit Office had the following to say about the NHS:
“In March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry. However, before 12 May 2017, the Department had no formal mechanism for assessing whether local NHS organisations had complied with their advice and guidance and whether they were prepared for a cyber-attack.”
It’s pretty clear from the number of infections, which are said to have topped 200,000 in over 150 countries, that many other organisations were found wanting like this. The likes of Telefonica, Deutsche Bahn, PetroChina, Portugal Telecom, FedEx, and Renault were all hit to a lesser or greater extent.
We all know that cyber-incidents are inevitable today. There are simply too many threats out there, too many vectors, too much exposure, and too many determined parties for any organisation to be 100% secure 100% of the time. So the key to mitigating risk, aside from reacting quickly and effectively to any incident, is learning from it so it’s less likely to cause any problems in the future.
At first glance, the WannaCry bombshell did not appear to have driven an uptick in best practice processes like patching. One notable global organisation, Boeing, was even infected with WannaCry in March this year. A report from Rapid7 claimed that there were just over half a million exposed SMB servers around the world in June 2017, slightly down from the May figure. Unfortunately, that number has is virtually the same today.
What’s more, the same EternalBlue exploit was used by attackers a month later in the global NotPetya ransomware blitz, which caused hundreds of millions in losses for various multi-nationals. Another exploit, EternalRomance, was used in the Bad Rabbit ransomware outbreak in October last year.
While this looks bad on the face of it, I’d warrant that organisations are actually improving baseline security across the board. After all, you can’t get a better advert for the dangers of ransomware than WannaCry and NotPetya. The GDPR and NIS Directive will also help to drive up standards over time — with potentially massive financial penalties for firms that fail to comply.
In fact, one could argue that WannaCry and NotPetya came at a time when ransomware, in general, was beginning to plateau. Trend Micro noted a drop in ransomware-related threats of 41% from 2016 to 2017: that’s from over one billion to 631 million. What’s more, the FBI claimed to have received only 1,783 ransomware reports last year, linked to losses of just $2.3m.
We can explain this partly in terms of organisations protecting themselves more effectively from ransomware: by investing in solid AV, intrusion prevention tools and network segmentation; backing-up regularly; and educating employees not to open unsolicited mail. But there’s another related factor at play: the cyber-criminals themselves are going after easier pickings.
Just look at those FBI figures again. In comparison to the paltry sum collected by ransomware slingers, Business Email Compromise (BEC) led to losses in 2017 of over $676m — the highest of any threat category. As I outlined on The Nasstarian earlier this year, crypto-jacking is another money-spinner that many black hats are taking to in their droves. By running a botnet of compromised machines to mine crypto-currency, there’s no risk of a victim refusing to pay up. If one organisation boots them off their servers they simply look for more to infect. Simple.
Which brings us back to patching. The sheer number of vulnerabilities discovered on a monthly basis today is challenging all but the best-resourced organisations. New software flaws hit an all-time-high of nearly 20,000 last year, and it will only continue to rise. Without automated tools and a clear strategy for prioritising critical bugs, organisations will remain exposed to financial loss and reputational damage.
Nasstar has many layers of security protecting its hosted platforms but it is crucial that its clients create a cyber-savvy culture within their organisation. That comes from the top down, and it spreads via effective training and regular updates to ensure best practice is always front of mind for staff.