The first that many of us heard about WannaCry was over two years ago when it was announced that a number of NHS Trusts were experiencing some kind of cyber-attack. It then transpired that Telefonica had already suffered the same fate in Spain; then reports started to come from many different sources alerting us to the fact that this was much more widespread than just the NHS Trusts or a few larger companies.
Over the next few hours we watched the spread of the worm around the globe, more and more infections were reported, social media was alight with comments and pictures for many hours as more and more people fell victim to Wannacrypt which was soon dubbed WannaCry.
Very soon we were looking at numbers as high as 200,000 infections worldwide, had this been a traditional Ransomware campaign this wouldn’t have been too bad for many organisations as they would have been facing a ransom payment of hundreds of dollars. Many would see this as acceptable to quickly recover files and many would pay the ransom quite quickly. Instead, what we had was organisations facing huge ransom payments totalling many thousands of dollars. For the majority, the only option was to start a massive clean-up operation of rebuilding affected computers and restoring files (where possible) from backup.
This leaves many IT staff facing a long weekend working day and night to try and put their business back to a position where they are operational on a Monday morning. As this has been such a high-profile incident we can clearly see that for many this just hasn’t been possible and many organisations are still in Disaster Recovery situations or are limping along, many reverting to using paper as a means of communication.
It’s clear to see that it doesn’t get much worse than this. As the person responsible for providing IT services within an organisation this is absolutely the worst nightmare situation.
We should sympathise with some of these larger organisations though. Many use bespoke applications that were developed to run on Windows XP or Windows Server 2003 and are not compatible with later, more secure operating systems and the cost of both re-developing applications and migrating to new operating systems is prohibitive.
This, unfortunately, makes them sitting ducks. As exploits are discovered they are dependent on their security measures and vendors being good to their claims about protection levels. We have seen Microsoft release an emergency patch to prevent the spread of the worm on these systems but we can’t rely on Microsoft doing that in the future as these systems are well beyond end-of-support. Even if Microsoft does release patches for found exploits in the future, we have just seen that it takes a couple of days for these to become available, what option do you have then, shut down all of your systems until you can apply patches?
That’s just not an acceptable approach. Security vendors and suppliers must step up and work with these organisations to provide the level of protection that is now needed. Many new vendors are doing this and are thinking of new ways to detect malicious behaviour and stop it in its tracks.
The old approach of detecting threats and attacks by using signatures to identify known behaviours is woefully outdated and leaves many potentially exposed to the huge cost of remediation and consumption of huge engineering hours. Recently, NSS Labs performed a Total Cost of Ownership and Effectiveness test across a number of EndPoint Protection vendors. This showed us that a 500-user company can potentially spend $1,250,000 on cleaning up a cyber-security incident. This is a big enough number for any organisation to “lose” and it is sure to rise after this most recent incident.
At AVR International we have championed a move towards analysing behaviours in real-time and preventing threats as they occur rather than before they happen. This may sound like a risky approach but when you look at what is actually happening these days it is absolutely the right approach. Having run versions of WannaCry and looking at the forensics following execution it is frightening to see how quickly this particular threat works, the Ransomware itself seems to have one failing though, it creates new files and encrypts them but doesn’t delete any files until it has finished encrypting. Every piece of Ransomware we have analysed up until now follows a simple pattern, create, write and delete.
This means that if you can stop the Ransomware while executing then you won’t lose any files, the system doesn’t look pretty but you can still carry on working. Many “next-generation” vendors will be able to do that and this allows us to not only avoid paying ransoms but allows us to remediate at a more leisurely pace.
The Threat Hunting Workshop: An educational workshop explaining the tools, techniques and procedures used by adversaries and how to detect and contain these types of attacks
The Threat Hunting Webinar: An educational webinar explaining the tools, techniques and procedures used by adversaries and how to detect and contain these types of attacks
top 100 law firms experiencing an attack rising from 45% in 2013/14 to 73% in the most recent financial year.
over £11 million of client money was stolen due to cybercrime