WannaCry, The Aftermath: How WannaCry Could Have Been WannaSmile
I have been working in the field of cyber security and related areas for over 20 years. In that time there have been many cyber incidents. Those that instantly spring to mind include the ‘I Love You’ virus, the OpenSSL security vulnerability ‘HeartBleed’, and the viral worm ‘Nimbda’. All of them are consumer level awareness incidents that became, if not household names, certainly business world names. In my 20 years of working in the industry, security incidents have come and gone. The mindset of ‘it’ll happen to someone else” is a very persistent one. But the build up of security incidents is now starting to hit home and the wake up call to ‘be prepared’ may have just happened. Security attacks that end up in the press are usually pretty big events, but the WannaCry ransomware attack of May 2017 will go down in history as something else. WannaCry made many of us shed real tears. At last count, it had impacted 150 countries, and over 400,000 computers were infected across all types and sizes of organization. It was the sheer scope and scale of the infection that made the world finally sit up and take note.
This article is a second in the series, the first looked at lessons learned from WannaCry. In this article, I want to talk about what we could have done to protect ourselves against both WannaCry and importantly any future cyber-attack. Most of us don’t have a crystal ball, so we cannot with 100% surety know what the next cyber-attack will be, but we can put in place certain measures to prevent an attack occurring on our watch.
Should you pay the ransom?
WannaCry Mistakes and How They Could Have Been Avoided
Nobody is perfect, and this includes groups of people like an organization. But even so, we can try and make systems as robust as possible and apply knowledge from lessons learned; the saying ‘knowledge is power’ is true. We can group the mistakes made in the WannaCry incident into general knowledge areas:
The computers #1 - Infection:
Data shows that WannaCry almost exclusively affected Windows 7 computers. The actual infection relied upon a known Microsoft SMB Server vulnerability known as EternalBlue. This vulnerability was fixed by Microsoft and released as a patch before the WannaCry incident. However, not everyone is vigilant in computer/software patching. Any un-patched computers were at risk as soon as WannaCry was released into the wild. Patching computers and applications is vital to control malware infection. Most malware relies on software vulnerabilities. Leaving known vulnerabilities open to exploit is tantamount to putting a big red flag on your company website saying ‘hack me please’.
The computers #2 - Open connections:
WannaCry was a very successful piece of malware because it used a technique of infection that many believe is likely to become more common as we become ever more Internet-connected. The ransomware hitched a ride on scanner malware that looked for port 445 to connect. If the port was open, the malware payload was inserted, and bingo, another infected computer - a bit like a domino effect.
Using anti-virus software and anti-ransomware software is also a good idea, as long as you keep it up-to-date and are not over-reliant on it.
The assets #1 - Data: WannaCry had a far-reaching impact on the organization affected. Lost data, also equates to lost time and productivity. The ransom price is not the only cost of a ransomware infection. Keeping backups of at least critical data is very important. You must make sure that the backup system you use is held offline from your central computer system to ensure the infection isn’t carried over to that storage area too.
The assets #2 - Other issues: But it isn’t always just about the data. The National Health Service (NHS) in the UK, for example, had to cancel operations and turn patients away because they couldn’t access health records. Paying for the decryption of encrypted files is not a good idea and can cause longer lasting effects. If you pay, you may well find yourself on a Dark Web list of ‘suckers’ willing to pay. You may then find your company singled out for another cyber-attack.
The people: Some of this is about the ‘why’. Why carry out this crime, when in the end relatively little money was made by the perpetrators? As of June 17, less than $150,000 was made from ransom payments. You can put this in perspective by comparing this to the $325 million made by CryptoWall ransomware. It is likely this incident was more about ‘hey look at what we can do’ or plain mischief by state sponsorship. The latest on this is that North Korea was behind the attack, but this is still conjecture. It has since been found that coding errors by the developers behind WannaCry have prevented the infection becoming even more widespread. This is not good news. Developers, like the rest of us, learn lessons from our mistakes. The ‘WannaCry update’ or it’s next incarnation, will have fixed this bug and we need to be wary of that.
Fighting Back With Knowledge
Some fairly basic practices can de-risk your company. But maintaining these practices is something that is less about technology and more about project and people management. Not all companies have the luxury of internal IT support. But increased cybersecurity incidents and associated costs have pushed these matters beyond the tech team and into the hands of the entire business. Now management is being forced to act on this by being proactive in security management. But not all is lost, fighting the actions of cybercrime is winnable using a mix of pragmatic computer hygiene and forward thinking. One of the most powerful tools in a company cybersecurity arsenal is knowledge. Making sure that employees are security aware, is the foundation stone of the holistic approach that we all need to take to keep our computers, assets, and people safe.
Staying One Step Ahead - WannaCry and Beyond
WannaCry is one in a long line of ransomware and other damaging malware. This last attack gives us pause for thought. It was in some ways, a little unusual in the operation of the malware. WannaCry, was self-propagating - a particularly virulent and aggressive form of ransomware that requires no user intervention. It used a dual mechanism action, using a ransomware payload to encrypt the files, fed into the system using an Internet scanner, finding open computer port to exploit. Traditionally, ransomware has been delivered via human intervention, and I am sure this method will continue to operate as it is successful. WannaCry’s human-free propagation, instead used the same type of technology as the Mirai botnet DDoS attack of October last year, scanning LAN’s and the Internet for victims, a worm then installing the payload onto the waiting machines by exploiting the SMB vulnerability. This method has proven to be very useful at disruption, although not as useful at collecting monies, it seems.
The fact is, cybercriminals play with different methods, honing their approach until they hit on a particularly successful one. They then modify the technique when the public works out a strategy of defense. We need to be vigilant and use foresight in how we approach our cyber-defenses. We cannot afford to focus on just one type of attack method. Like our cybercriminal counterparts, we too, need to apply the knowledge we have gathered from past attacks but also have the insight to be proactive in protecting our systems against possible future attacks. If the Windows 7 users had patched the SMB vulnerability, their computers could not have been exploited by WannaCry - but that doesn’t mean they could not have been exploited by other forms of ransomware and malware. We need to build ourselves a feedback loop built on knowledge and training of all users within a system.
See Infosec IQ in action
Shutting the stable door after the horse has bolted will only leave you open to future attacks from different vectors. Cyber security is now and has always been a holistic problem. The increasing Internet connectivity of computers and other devices will only act to make the situation worse, opening up holes within the fabric of our networks. IT needs an understanding of how humans behave as much as how technology is used, to crack the problem.
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- WannaCry, The Aftermath: How WannaCry Could Have Been WannaSmile
- Canada Flipper Zero ban and new RustDoor macOS malware
- AnyDesk hack and iPhone patched kernel flaw
- Tesla Pwn2Own hacks and iOS push alerts abuse
- TeamViewer breach and Atlassian Jira outage
- Moscow ISP revenge hack and Microsoft Sharepoint bug warning
- X verified accounts hack and SpectralBlur macOS malware
- CISA default password alert and SOHO KV-botnet campaign
- New 5G modem flaws and Apple’s data breach report
- Staples cyberattack, Agent Racoon backdoor and other news
- British Library ransomware attack, Windows fingerprint authentication bypass
- Samsung UK data breach and ransomware actor’s SEC complaint
- ICBC ransomware attack and ChatGPT outage
- Boeing Lockbit ransomware attack, Apple’s vulnerability and WhatsApp mods spyware
- Octo Tempest hacking group and new iLeakage attack
- Okta support system breach and Google Ads fake KeePass campaign
- Skype DarkGate malware, Shadow PC breach and AvosLocker ransomware warning
- 23andMe data theft, MGM’s $100M ransomware loss and the Azure VM breach
- Malicious Bing Chat ads and FBI’s dual ransomware warning
- T-Mobile app glitch and fake Booking.com pages
- Airbus data leak, Cisco Webex ad malware and €345 million TikTok fine
- New Apple iMessage exploit and CISA’s Apache RocketMQ warning
- Forever 21 data breach and Android BadBazaar espionage
- Duolingo data leak and the Met Police IT hack
- Discord.io data breach and Ivanti Avalanche vulnerabilities
- UK Electoral Commission hack and Microsoft’s role in China email breach
- Salesforce email zero-day exploit and Microsoft Power Platform criticism
- Airlines disclose pilot data breach and the Microsoft Teams bug
- GravityRAT Android Trojan and new MOVEit Transfer flaw
- University of Manchester hack and Honda API flaws
- MOVEit zero-day exploit and the U.S. iPhone hack accusation
- Daam Android virus and Barracuda zero-day flaw
- TP-Link router exploit and 18-year-old charged with hacking DraftKings accounts
- Discord support hack and Toyota location data leak
- Twitter private tweets bug and Cisco phone router vulnerabilities
- Cisco XSS zero-day flaw and PaperCut vulnerabilities
- 3CX hackers hit critical infrastructure and secondhand routers cause security concerns
- Hyundai data breach and Microsoft’s warning to accountants
- Western Digital cloud breach and the MSI ransomware hack
- TMX loan data breach, Italy bans ChatGPT and WordPress Elementor Pro exploit
- ChatGPT data leak and Gmail message theft by North Korean hackers
- U.S. federal agency hack and the return of FakeCalls Android malware
- Massive AT&T data breach and fake jobs targeting security researchers
- U.S. Marshals service breach and TPM 2.0 security flaws
- Dangerous ChatGPT apps and food giant Dole ransomware attack
- GoDaddy malware installations, record-breaking DDoS attack and the new WhiskerSpy malware
- Reddit’s employees phished, healthcare firms targeted and the new Screenshotter malware
- JD Sports data breached, VMware ESXi servers attacked and the HeadCrab malware
- Yandex source code leaked, 4500+ WordPress sites hacked and the new SwiftSlicer malware
- PayPal accounts breached, Fortinet VPN flaw exploited, and the new Hook malware
- Twitter users’ emails leaked, ChatGPT used to write malware and Slack’s repository breach
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
