Mopping Up After the WannaCry Outbreak
Does anyone wonder why cybersecurity is still the hottest domain in IT? Only about 10 days ago, the "WannaCry" virus infected thousands of computers around the globe, locking up their data and demanding a ransom. While the virus in the United States was limited and contained fairly quickly, it ran amok across Europe and Asia, causing especially serious damage to the National Health System in the United Kingdom, which uses outdated Windows products and failed to provide essential cyber security training to their employees.
Fortunately, things came to a quick end when an enterprising 22-year-old British computer expert found a so-called "kill switch." Unfortunately, new variants of the virus, without the kill switch are already on the internet.
Following are six important facts about WannaCry, as well as some tips that could help to prevent a reoccurrence down the road.
200,000 computer systems in 150 countries infected in one weekend.
In less than three days, WannaCry — also known as WCry, WannaCrypt and WanaDecryptor — zipped around the globe. The virus was designed to perform globally with ransom messages appearing in dozens of different languages. Ransom demands popped up appeared everywhere from movie screens in South Korea to railway schedules in Germany.
Ultimately, no one is certain of the extent of the damage, because a large number of the infected systems were located in China. One estimate put the number of companies, hospitals, government agencies, railway stations, malls, and universities in China at almost 30,000. At one point 20,000 gas stations went offline.
WannaCry is ransomware.
The goal of WannaCry is to extort money from victims by encrypting their data. The ransom is typically paid with an untraceable digital "crypto-currency" like Bitcoin. Once payment is received, the hackers provide a code so the victim can unlock their data.
Ransomware attacks are becoming increasingly common. The practice is so successful that unethical people can buy ready-made virus packages on the dark-web for a pittance. Just like on eBay and Amazon, satisfied customers are even leaving positive reviews on the products. Security experts estimate that there are more than 100 different strains of ransomware currently active on the internet, with an infection rate that is growing at 36 percent per year.
Victims typically pay the ransom.
More than 200 of WannaCry's victims who quickly paid got their data back. Cybersecurity experts advise against doing so, however, cautioning that, in general, only about two-thirds of victims get their data back after paying the ransom. They also fear that paying the ransom will encourage future bad behavior. Unfortunately, for most victims it's not a straightforward decision. Faced with the practicability and necessity of getting their data back, most willingly pay up.
Even Microsoft, in their ransomware Frequently Asked Questions (FAQ) document, refuses to give a firm answer on paying the ransom or not. Their response is that "there is no one-size-fits-all response when victimized by ransomware."
There's been lots of finger pointing.
Microsoft blames the NSA and other intelligence services for not sharing information on "exploits stolen from the National Security Agency, or NSA, in the United States." In a blog post, Brad Smith, Microsoft's chief legal officer and president, said that attack was an "example of why the stockpiling of vulnerabilities by governments is such a problem."
Even Russian President Vladimir Putin got his kicks in by blaming U.S. government officials. Citing Smith's letter, he said, "Microsoft said it directly: The initial source of this virus is the U.S.'s security agencies. Russia's got absolutely nothing to do with it."
Others blame Microsoft for poor product design, and for abandoning users who run older versions of the Windows OS. WannaCry exploited a bug in the networking protocol of the still widely-installed and used XP version of Windows. Unfortunately, the company officially stopped supporting Windows XP in 2014 and no longer provides patches to the general public. Customers complain that Microsoft should have at least alerted them to the need for a security patch.
Eventually, as the extent of the virus became evident, Microsoft did provide an emergency security update for Windows XP, Windows 8, and Windows Server 2003 users on Friday. Unfortunately, more than 1 million computers around the world are said to remain vulnerable.
Origin
It appears that the code used to create WannaCry was indeed stolen from the NSA. In 2016, a hacker group called Shadow Brokers released a set of powerful malware tools purportedly stolen form the intelligence agency. One expert said the released material was the "most powerful cache of exploits ever released."
Apparently the ransomware is an older and much less effective virus that the bad guys "souped up" with the NSA's tools, which enabled it to spread using the now-patched flaw in Windows.
A sloppy effort
Although WannaCry caused untold millions in damage, the creators surprisingly have earned only about $50,000 U.S. — a small return for unleashing a global infection and landing on Interpol's most wanted list. The reason, according to Wired is that they made "amateur mistakes at practically every turn."
Industry consensus is that the WannaCry gang didn't know how to do anything beyond integrating the NSA exploits. In addition to leaving in a kill switch, the bad guys failed to configure the virus to automatically know who made ransom payments. Instead, they manually tracked victims and issued decryption keys — leaving Bitcoin footprints for authorities to follow.
Defending Against WannaCry and Other Ransomware
WannaCry appears capable of jumping between computers on its own. So while it didn't rely on phishing e-mails to spread, users have to remember not to open suspicious attachments or mystery links in their e-mails. Users should also maintain frequent backups of their important data in a safe location and not just on devices that are constantly connected to your computers. If you're a victim of ransomware, a data backup will enable you to clean your system and reinstall the data.
The best defense is to make sure your cybersecurity people are trained and certified to protect your data. In addition to having skilled IT pros on the team, the most important defense against WannaCry is to install the latest Windows security updates.
Strong password security practices are a must. Never rely on a single password for different sites. If one site is compromised, hackers often attempt to hit other online accounts with the same passwords.
It's also not a bad idea, particularly for large companies and government agencies, to consider educating employees through certification. Instruction and learning provided via credentials like the CyberSec First Responder offered by Logical Operations can help make every member of an organization an active participant in both implementing and maintaining sound information security practices.
Organizations can also beef up their cybersecurity staffs by paying for current employees working in other areas to certify in security and make a career switch. A smart CISO can handpick top workers and precisely tailor their training by carefully selecting among the numerous cybersecurity certifications on the market.
Ransomware is a toothpaste problem — it can't be put back into the tube. It's a never-ending war, and the best we can do is to always utilize data security best practices while simultaneously maintaining awareness of the latest threats.