What You WANNA KNOW About the WANNACRY Ransomware Attack & What You WANNA Do About it Now
By Walt Westfall, Director of Digital Transformation
& Greg Kiker, CISO and Cybersecurity Practice Director at cStor
WHAT IS HAPPENING
A widespread ransomware attack called “WannaCry” broke on Friday, May 12, affecting many organizations the world over, reportedly including major telcos, hospital systems and transportation providers. The attack purportedly spread to nearly 150 countries around the world.
This is the first ransomware worm to ever be seen in the wild. The malware responsible for this attack was a ransomware variant known as ‘WannaCry’. Expect new variants of WannaCry; the threats will continue.
WHAT IS WANNACRY
WannaCry is ransomware that installs through a vulnerability in the Microsoft SMB protocol, not through phishing or malvertising as with many malware attacks. SMB is a network protocol used to share files between computers.
The reason WannaCry was particularly effective is that it can spread laterally on the same network, automatically installing itself on other systems in the network without any end user involvement. Once it’s in, it’s in. The malware was particularly effective in environments with Windows XP machines, as it can scan heavily over TCP port 445 (Server Message Block/SMB), compromising hosts, encrypting files stored on them, and then demanding a ransom payment in the form of Bitcoin.
On March 14, Microsoft released a security update to patch this vulnerability. While this protected newer Windows computers that had Windows Update enabled, many computers remained unpatched globally. This is particularly true of Windows XP computers which are no longer supported by Microsoft automatically and require manual system updates and patches, as well as millions of computers globally running pirated software, which are (obviously) not automatically upgraded.
THE REALITY OF IMPACT
Even if you don’t think you were directly impacted in this attack, the truth is, WannaCry has impacted most companies in one of three ways:
- They have been infected, and they are knee-deep in remediation efforts.
- They have NOT been infected but realize an increased sense of urgency to proactively up their security game.
- They are ignoring the threat… hoping for a miracle.
RECOMMENDED ACTIONS TO TAKE
- If your organization had been infected, we assume you’re knee-deep in remediation work. A few tips as you go — be sure to use a security consulting partner that brings both strategy expertise as well as the proven security technologies. There are a few that are helping mitigate the impact of the WannaCry attack such as Cylance and Dark Trace. cStor consultants are also working closely with both firms and clients to prepare for any future variants of the threat.
- If you have not been infected, but realize an increased sense of urgency to up your game, that’s good! The sooner you begin working with an expert security consultant, the better. Many security firms are inundated with customer calls and emails about the attack. Your security consultant should follow up quickly (within 1 to 1.5 business days at most). The sooner you speak with an expert, the sooner you will be able to deploy an action plan to prevent impacts of malware to your organization.
- If your company somehow managed to avoid an attack thus far and you think you’re in the clear, rest assured that sticking your head in the sand at this point could be your biggest mistake. This is likely the first of many increasingly harmful ransomware attacks that we’re likely to see coming. It’s imperative for the future protection of your employees, your customers and your company that you use this incident as a wake up call.
If you cannot articulate a coherent strategy, your security consulting partner should be able to help you with it, and get a plan of action for future prevention in place quickly. If you don’t have a trusted go-to security partner, find one quickly.
ARTIFICIAL INTELLIGENCE IS THE NEW WEAPON OF MASS DESTRUCTION AGAINST RANSOMWARE
Tools like Cylance are leverage machine learning and artificial intelligence to successfully stop WannaCry on every system that was properly protected. In fact, tests were run on Cylance systems that have not been updated in over a year and they still stopped WannaCry.
As a side note, I have received dozens of emails from just about every anti-malware company and not one of them is claiming they stopped it, except Cylance, just how to “deal” with it.
Be sure to go to your initial security consultant meeting with an agenda that includes proper backup solutions that can be used to restore data quickly. This is key to recovering data without paying a ransom. Also, be sure to discuss patching and the process they recommend. Unpatched and old operating systems proved to be the biggest group of attacked systems. If companies patched and updated operating systems, the threat vector was greatly reduced.
Have your security consultant and internal team also look at Darktrace, the only other technology with success at stopping WannaCry in its tracks.
- Machine Learning matters. Cylance and Darktrace did successfully stop WannaCry on their customer implementations because they use machine learning. Be sure to read Greg’s blog for a quick education.
- The heart of protection from future events lies in protecting your data, and in ensuring your systems are current with the latest patches.
While this outbreak in many ways turned into a non-event, by all expert assessments, they have only just begun. The hackers are getting more and more sophisticated in their attacks, and the underground networks are getting more organized and well-funded.
It is truly a good versus evil battle, but with the right partners and tools in place, you’ll have far more of a fighting chance. Our best recommendation is not to wait for the next attack to take immediate, massive action to better protect your business, even if you were not initially impacted by WannaCry.
Don’t hesitate to contact cStor’s cybersecurity practice for more information, to get all of your questions answered, or to schedule an initial consultation about your strategy and potential tools that could help protect your business from ransomware. You can also call us at 1.877.278.6781.