After the events of May 2017, cyber security teams may finally be able to eat from the adults table of respect at organisations worldwide. What had been predicted, yet often ignored for more than a decade, had materialised in the form of the WannaCry cyber attack; a service-extinction level event which rendered some of the world’s most famous brands and the UK's health service crippled and ultimately red-faced.
The media feeding frenzy was swift and harsh; those with little interaction with cyber security now have the term ransomware forever imprinted into their list of fears. Maybe it was a cyber-attack initiated by ISIS, as some exclaimed in sensationalist self-excitement. At this time of writing it is not clear who launched this ransomware attack, however based on previous examples, it is unlikely to be inspired by religious extremism, but rather financial.
Finger-pointing aside, the topic of ransomware has subsequently and unsurprisingly climbed up the list of priorities for IT teams and organisations alike. The question sitting at the top of whiteboards in meeting rooms is: how can we prevent this from happening again?
Re-Thinking the Question of Cybercrime Prevention
Sadly, the answer to the above question is that you cannot. The problem of global cybercrime is much bigger than one board room discussion. These types of attacks will continue and furthermore cause large scale problems from critical infrastructure, therefore we should be asking how to best reduce exposure to such events.
Below are just eight possible ways to help you combat a summer of ransomware:
Filter Web and Email Access – Phishing is ransomware distributors preferred vector for infection, infact it is reported that 93% of phishing emails now contain ransomware as their payload. Therefore, the need to scan emails and web based traffic for malicious files, links, IP addresses and use methods such as SPF (Sender Policy Framework) lookups and DKIM (DomainKeys Identified Mail) is imperative to remove any known threats from landscape.
Train Your Users to be Vigilant – How often do we hear that humans are the weakest factor in any security solution? This fact has not escaped cybercriminals either. Training users to be vigilant and even simulating attacks such as ransomware increases the organisations ability to detect unknown threats which have not been picked up by the scanning of email and web channels.
Stick to Your Patch Schedule – During the WannaCry ransomware attack of May 2017, it was reported that some affected endpoints had not been patched for over 10 years. It may seem obvious but patching is more critical today than it has been previously, with hundreds of thousands of new malware samples released daily. The WannaCry ransomware variant exploited a known Microsoft Windows vulnerability which had been patched by Microsoft prior to the infection.
Endpoint Firewalls in a Porous World – The EternalBlue vulnerability utilised by WannaCry used an SMBv1 (Server Message Block) buffer overflow to move files to endpoints silently. Most mature organisations will already be discontinuing the use of older protocols such as SMBv1 and blocking all SMB connections from the internet. However, when a laptop is on a coffee shop internet connection, this may not the case. To ensure the same level of protection in a porous networked world, endpoints should have personal firewalls blocking the same protocols as the organisations network.
Anomaly Hunting – Sometimes referred to as APT (Advanced Persistent Threat) detection and prevention, a whole industry of solutions including the traditional anti-virus vendors has appeared in this space. Machine learning and analytics being used to interrogate endpoints about every process and function taking place can uncover anomalies and indication of attempted or successful infection.
Backups – Once files and folders on an endpoint have been encrypted it is unlikely that this process can be reversed. In the case of some older strains of ransomware, there have been tools released which can reverse the process, however with a 300% increase in ransomware samples in 2016 alone, it is unlikely that this is something that will keep pace. With the overwhelming advice being to avoid paying ransoms and funding further ransomware campaigns, the only real option for recovery is to take frequent backups. In particular, it is advised that these backups are not stored on the same endpoint, as some variants of ransomware delete and remove system restore points and local backups to prevent recovery.
Risk Register – In the event of any IT or information security incident, organisations should possess a risk register. This could be as simple as an excel spreadsheet, which outlines risks, their likelihood and their impact on the business. Some endpoints, servers and other resources will have a higher level or risk and impact to the organisation should they be infected or taken offline. Such risks need recording so that boards are aware of their exposure and can plan for mitigating solutions.
Incident Response Plan – How your organisation reacts to a ransomware attack is going to be more important during the inevitable event, than attempts at preventing. IT teams and SOCs (Security Operation Centre) should have a documented plan detailing, planned steps on how to respond and react. Incident response plans should include, notification to the board and staff, methods of users reporting infection, plans for containment, analysis, remediation and recovery. A well thought-out, rehearsed and consistent incident response plan will ensure ransomware attacks have minimal and contained impact to operations.
A Summer of Ransomware
In the end, the WannaCry attack was thwarted by an unassuming hero who after studying the attack found that it had a kill switch. During infection, the ransomware would communicate to an unregistered domain; if there was no response it would continue onto its path of encryption, conversely if it did receive a response then it would cease to function. By registering the domain for less that £10, the attack was stopped.
We will never know if the kill switch was intentional or if it had another function, what we can guarantee however is that there will be new versions of WannaCry with its weakness removed. After all, if your motivation is financial, a ransomware variant which can infect millions of endpoints is an attractive proposition to spend time modifying.
So, it would seem likely that we are in for a summer of ransomware, as if 2016 hadn’t already seen an extraordinary exponential growth in usage, 2017 may come to view that as the calm before the storm.
Prevention is futile, preparation and impact minimisation is the focus.