WannaCry ransomware, expected to cost up to $4 billion, could have been drastically curtailed with automated patching.
WannaCry (AKA WanaCrypt0r, WCry, Wannageddon or another day of cyberinfamy), which marries ransomware with worm-type spread targeted at Microsoft Windows operating systems, is the "the worst ransomware outbreak in history." But according to Jakub Křoustek, a lead on Avast’s Threat Intelligence team, it could easily have been avoided through proper patch management. The attack, which began on May 12, has cost victims as much as $4 billion.
How'd WannaCry do its dirty work?
According to the United States Computer Emergency Readiness Team, the ransomware gained access to enterprise servers through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, as well as patches for Windows XP, Windows 8, and Windows Server 2003 on May 13.
Detected originally back in February, WannaCry changed the affected file extension names to .WNCRY, so an infected file looked something like: original_name_of_file.jpg.WNCRY, for example. The encrypted files were also marked by the WANACRY! string at the beginning of the file. Křoustek says the ransomware, available in 28 languages, predominantly targeted Russia, Ukraine, and Taiwan, but also infected major institutions, like hospitals across England and Spanish telecommunications company Telefónica.
Was it worth it for the hackers?
The group behind the attack demanded a ransom of $300-$600, but the demands escalated over time. The threat the ransomware made, claiming it would delete the encrypted files if the ransom wasn’t paid within 7 days, was fake, says Křoustek. Avast recommends against paying ransomware, in any case, because there’s no guarantee that the victim’s files will be decrypted, and payment encourages ransomware authors to launch more campaigns.
Recovery from infection isn't easy
Recovering from the infection is problematic. Any antivirus software should be able to remove the ransomware by quarantining the malicious files, but the files remain encrypted, which appears to be very strong (AES-128 combined with RSA-2048). Křoustek recommends that files be recovered from backup, on a clean PC with all patches applied and for maximum security, and that this should be done offline to minimize the risk of encrypting the backup storage, as well.
Be prepared for next time ... because there will be a next time
WannaCry is one more piece of evidence telling us about the growing cyberthreat spectrum, as companies continue to digitize their business through the Internet of Things (IoT) and artificial intelligence, says Forrester Principal Analyst Jeff Pollard. "Security as an afterthought is likely a self-inflicted (and near-fatal) wound for companies and institutions."
The cybersecurity professional community had been expecting something like the WannaCry ransomware attack for a long time, cautioned cybersecurity guru Jon Oltsik, Enterprise Strategy Group. He noted that software patching continues to be one of the more intensive operational activities for security and IT operations folks and always seems to be a struggle. He’d heard that "this patch was particularly onerous, which may have held operations back."
Ransomware and other malicious cyberattacks are going to continue to escalate as digital transformation, mobility and the Internet of Things spread wider and deeper. Regular, controlled patching and timely backups can significantly reduce threats and increase security.