“April is the cruelest month,” T.S. Eliot wrote, but if he were alive today and working in cybersecurity he might have chosen May.
This month saw a ransomware cyberattack that was startling in its scale, affecting hundreds of thousands of computers around the world in networks ranging from railways to hospitals, causing treatment delays for patients in the UK. While the WannaCry attack was entirely preventable, it can offer several lessons about prevention and resilience that bear repeating.
The price of complacency
This latest strain of ransomware takes advantage of a vulnerability in Windows that, according to Microsoft, uses software tools stolen from the National Security Agency (NSA).
While Microsoft released a patch for the vulnerability two months prior to this attack, its massive scale showed that many computers, especially in businesses and services like transit, hadn’t been updated or were using old or unprotected versions of Windows. This is unfortunately very common in the industry.
WannaCry is big, but it’s no “digital Pearl Harbor” as some pundits have claimed. It was somewhat unique in that it differs from typical malware that requires a user to click an attachment or link to infect a PC. Once this particular malware started, it automatically searched the internet and when it got a foothold in one machine, it could search an entire organization for vulnerable machines, infecting them even if they weren’t connected to the internet. Meanwhile, WannaCry also stays in a computer’s memory instead of its hard disk, making it undetectable to traditional antivirus software. Once inside a system, it encrypts files and demands a ransom of $300, payable in bitcoin.
That isn’t much, but it’s easy money for the criminals, who didn’t even bother to create something sophisticated. In fact, as reports have indicated, early versions of the malware had left a “kill switch” in the code that was used to slow the initial spread of WannaCry. A sophisticated attack could have done far more damage. Indeed, WannaCry shows how easy it is to launch malware on a global scale by taking advantage of simple, easily available “ransomware as a service” software. These days, hackers don’t even need to know how to code to attack systems and make money.
Get smart and fight back
Think about the hype around the WannaCry attack. Now think about all of the other equally or more dangerous ransomware attacks we’re not hearing about, but that happen every day. WannaCry is dominating news cycles, but in the total landscape of ransomware, it’s a blip. We have to train ourselves to be resilient against cyberattacks in general and not play the cyber equivalent of whack-a-mole by focusing on one. Being resilient means being able to take a hit, or an infection, and recover quickly.
Indeed, WannaCry reminds us of a few important ransomware lessons. First of all, you should regularly back up your data – that way you’ll never need to pay a ransom to get it back. Paying is never a good idea. It emboldens and finances criminals and there’s no guarantee you will actually get the key to unlock your files. What’s more, the malware could linger on your system even after payment, meaning your data could once more be held hostage, and in some cases, by the very same criminals.
How can you protect yourself and your organization from these kinds of ransomware attacks? Here are nine must-do steps to shore up your defenses:
1. Install the latest updates for your operating system, web browser and antivirus software by enabling automatic downloads. If you’re concerned this could disrupt your operations, schedule downloads during downtime or off-peak hours.
2. Check that your system doesn’t have any unnecessary connections (including ports and protocols) with other computers. Is your security technology able to see, with granular visibility, all traffic and connections on your network?
3. No users should be assigned administrative access unless absolutely needed. Likewise, all users should have their access privileges minimized to mitigate the spread of malware. The best security technology will, by design, be able to segment access.
4. Implement a functional data backup and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location.
5. Practice online hygiene: Scrutinize links in emails, do not open attachments in unsolicited emails, and only download software – especially free software – from sites you know and trust.
6. Develop, institute and practice employee education programs for identifying scams, malicious links and other forms of fraud. Update them regularly.
7. Have penetration tests run against your network at least once a year.
8. Create monitoring scripts to keep track of systems modifying many files in short periods of time.
9. Share information with peers and the wider community, and support organizations, such as the Cyber Threat Alliance and appropriate Information Sharing and Analysis Centers (ISACs), that do so. Information-sharing strengthens our collective resilience against future attacks.
If you do get infected, report it to local law enforcement and provide them with the relevant log information. As for your computer, it’s best to reinstall the operating system and restore your data from a clean backup copy.
WannaCry may have been a learning experience for everyone, but these types of attacks are the new normal. Following the tips above will enhance everyone’s cyber hygiene and not just for ransomware attacks. If such steps were implemented, we could prevent, or at least reduce, a majority of threats. We should also avoid the blame game.
Cybersecurity is a shared responsibility among all stakeholders and we can’t be bickering with one another while the criminals laugh and take advantage of our confusion. WannaCry is only a small taste of what could happen in the future. It is yet another wake-up call to become smarter than criminals, increase our cyber resilience and design our systems and our teams to prevent attacks.
Written by William H. Saito, Special Advisor, Cabinet Office (Government of Japan)