Summary Bullets:
- WannaCry, the largest-ever ransomware attack, is likely a harbinger of what’s to come.
- The emergence of ransomware highlights the importance of tying security to data backup and recovery.
Suddenly, the whole world knows about ransomware.
While ransomware is no secret to those in the cybersecurity industry who have seen a steadily growing number of isolated incidents, to everyone else, ransomware made its presence broadly known late last week. The largest-ever single ransomware incident, a variant of the WannaCrypt strain known (aptly) as WannaCry, caught tens of thousands of organizations in at least 150 countries by surprise, likely causing millions if not billions in damage.
Microsoft took the unusual step Sunday of confirming what had been suspected since the WannaCry attack began Friday: that its unique delivery mechanism, affecting Windows systems from XP through Server 2012, was derived from an exploit called EternalBlue, which had been stolen from the National Security Agency and leaked to the web last month.
As of midday Monday, researchers indicate that WannaCry is likely waning, but its implications are only just becoming clear.
The vulnerability WannaCry exploits is wormable, which is what enabled the ransomware to self-propagate with the same speed and success of the infamous early computer worms like Morris, ILOVEYOU, and Melissa. WannaCry is essentially a successful proof of concept, meaning malware authors everywhere will no doubt turn their attention to creating ransomworms that can spread farther, faster, and affect a wider range of devices. While wormable computer exploits aren’t common anymore, nation-state groups like the NSA, GCHQ, Russia’s GRU, and several in China are believed to stockpile them; like with EternalBlue, it’s probable that criminal groups have or will steal more and attack those exploits widely for financial gain. Or, even worse, consider an actor deploying a ransomworm not for profit, but merely to render an adversary’s data permanently inaccessible. WannaCry may seem like an anomalous event now, but it’s certain to be the first of many, and likely won’t be the worst.
Enterprise security vendors have long been sounding the alarm about ransomware, and many will redouble those efforts in light of WannaCry. It is critical that ransomware awareness efforts not exist merely as extensions of broader product marketing campaigns. There is no silver bullet for ransomware, and it is disingenuous for any vendor to position its solutions as such.
Instead, the emphasis should be on sound, solution-agnostic security and data management practices, in particular:
Patch Early and Often – Attackers will always attempt easy exploits, and nothing is easier than compromising a system with known vulnerabilities. Any device with software or firmware should be updated as quickly as is feasible.
Avoid Legacy Systems – Many of the systems hit by WannaCry were Windows XP, which hasn’t been supported by Microsoft for more than three years. Systems that can’t be adequately protected shouldn’t contain or have access to valuable or sensitive data.
Practice Defense-in-Depth – Some vendors position layered security as passé, but it’s still critical for enterprises to have a variety of security solutions in place on networks, servers, endpoints, and in the cloud.
Backup Processes Matter – Successful ransomware attack recovery relies on regular data backups and reliable restoration processes. Security teams rarely have much influence here, but they must now ensure backup and recovery solutions can accommodate real-world ransomware recovery scenarios.
Enterprises should start here and rely on vendors and partners they trust to assess their ransomware risk, including to WannaCry, and implement appropriate additional mitigation tactics.
IT Connection 