Young Asian male confused and headache by WannaCry ransomware attack

Lessons Learned from the WannaCry Ransomware Attacks

While the waves of ransomware infections known as “WannaCry” have settled down, with a few scattered new infections reported in Asia (notably in South Korea and Taiwan), we can all learn an important lesson from the attacks. Unfortunately that lesson will be lost on many, if not most, organizations too quickly.

Throughout the day Friday, May 12, malware managed to infect a reported 230,000 systems in 150 countries. Many healthcare organizations were hit, but the attack affected all types of organizations in both the public and private sectors.

The primary way WannaCry spreads is through phishing emails and a self-propagating worm. When it strikes, the malware infects systems, encrypts them and then demands a ransom payment in Bitcoin.

This is the first time we’ve seen ransomware spread this rapidly and broadly, probably because it successfully couples (as far as I’m aware, for the first time) ransomware and worm capabilities The spread was also boosted by the rather large number of Internet-connected Windows XP systems still running. Microsoft stopped supporting XP with patches some time ago.

From the perspective of the attackers, the malware was wildly successful, managing to infect organizations such as the National Health Service in Britain and a number of airlines and telecommunications providers.

The story behind the WannaCry malware runs deeper than most cyber-attacks. The code is reportedly based on a trove of exploits stolen from the National Security Agency (NSA). These threats, specifically the exploit known as ExternalBlue, which attacks a Microsoft Windows vulnerability described in this Microsoft Security Bulletin MS17-010, were released earlier this year. In a rare move, as a result of this attack, Microsoft decided to provide a Windows XP patch to users.

So what is the lesson here?

The lesson is that the advice we’ve heard from security professionals really does go a long way to preventing these attacks from being successful. And they are preventable.

What’s required to avoid this type of attack isn’t new:

  • Patch at-risk systems as vendors issue patches
  • Don’t run software that is no longer supported by the manufacturer
  • Train staff not to click on links and attachments
  • Have basic security controls in place
  • If a system doesn’t need to be connected to the Internet, restrict its access.
  • Back up systems so that they can be reconstituted to known-good states much more readily

Patching in certain environments, such as healthcare, can be challenging. These organizations tend to be understaffed when it comes to IT, have legacy system challenges, as well as contractual issues with vendors when it comes to updating equipment. And when it comes to deploying patches in environments where machine malfunction literally means life or death, patches must be thoroughly tested to ensure uptime.

However, there are ways to mitigate the risk to unpatched systems. Organizations can white-list the apps that can run on those systems, limit network access and take other reasonable steps. Following these broad guidelines will help any organization run a more resilient environment and avoid attacks like WannaCry.

And now’s the time to start. If history is any guide, we’ll see copycat attempts in the week and months ahead. Once a tactic has proven itself to be successful, it’s copied and used repeatedly. The threat won’t stop at new versions of WannaCry (which are already popping up) but with entirely new strains of malware that couple “wormable” exploits with ransomware attacks.

Time to take heed of all of that good advice our security experts have been sharing for decades now.

This post first appeared on DXC.Technology in May 2017.

George V. Hulme

Author: George V. Hulme

George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.