Blog Posts

Don’t WannaCry Again? Take These 3 Steps

Question: Why are security practitioners so freaked out by last month’s WannaCry outbreak?

Answer: Because of its speed of infection. In just five days after it was reported in the wild on May 12, WannaCry had infected 216,000 endpoints in over 150 countries, with 75,000 of those endpoints infected on the first day alone!

WannaCry spread so quickly because its developers combined its ransomware component with a worm. Built on a vulnerability from a National Security Agency (NSA) toolkit leaked by hacker group The Shadow Brokers (TSB), WannaCry took advantage of an internal SMB (Server Message Block) vulnerability in Windows devices. The worm component exploited that flaw not only to propagate across endpoints on a network but also from network to network.

The Looming Risk

Why is the advent of WannaCry so concerning for organizations? After all, WannaCry did little lasting damage after the initial havoc it wreaked. Less than 0.1 percent of victims paid the ransom, for a total of under $105,000 as of May 22.

Well, imagine marrying the worm component of WannaCry with a more devastating payload, such as a new variant of Locky ransomware or so-called “destructive” malware like Shamoon 2.0, whose own precursor Shamoon destroyed over 35,000 Aramco workstations and put 10 percent of the world’s oil in jeopardy. Pairing either with a worm that can spread so quickly across and between networks means that only one vulnerability or one successful phishing exploit could fast-track a payload that could destroy your entire network and the data it holds before you know you’ve been infected.

Given the never-ending technological advances and increasing ease in accessing new strains of malware, it will only be a matter of time before the same bad actors who can buy a lifetime Stampado ransomware license for $39 will soon be able to purchase something far more damaging at similar pricing (Even malware authors enjoy passive income streams!). The fact that groups like TSB (which is now offering a monthly subscription of zero-day exploits for $21,000 per month) makes building and disseminating ever more dangerous iterations of malware easier than ever and should worry anyone with anything to protect.

3 Baseline Steps to Take Now

I realize no silver bullet exists to “solve” the inevitable WannaCry variants, let alone all the countless other threats out there. But make sure your organization is taking these three baseline steps to avoid being the proverbial low-hanging fruit to these opportunistic threat actors, who, in the case of WannaCry, took advantage of a vulnerability that was made public well before the attacks took place.

  1. Patch your systems. This is something we security analysts have been harping on since the 1990s. Make sure your systems are patched. Keep up to date with Microsoft Patch Tuesdays and with related patches of other operating systems and apps. This issue here isn’t so much whether a piece of malware is known or a zero-day—it’s fortifying your systems so that threat actors don’t take advantage of easy entry points in their attempts to infiltrate your systems.
  2. Educate your end users. Too many attacks use social engineering to break into your systems, most obviously through phishing attacks. Employees may unwittingly give up their credentials or usher in malware through a well-crafted phishing email. Educate them about the realities of phishing and their consequences. Then implement regular “phishing” tests to monitor the percentage of employees who still click on suspicious email links and to interactively teach them strategies to avoid real phishing in the future.
  3. Conduct an honest risk assessment of your organization. Once you’ve implemented the aforementioned strategies, it’s time to conduct a brutally honest risk assessment of your organization’s overall security posture. Where are your gaps in protection? Who is responsible for the various layers of your security stack? How can you better structure your organization to maximize protection and communication? What types of technologies would facilitate better incident detection and response?

The last step actually can be broken down into many steps, and I realize any risk assessment can seem like an overwhelming task. But without that final step, you have no way of knowing how your organization will protect and mitigate against threats.