For many people, WannaCry was the first they’d heard of ransomware. Others had only a vague awareness of the problem. But one thing that is certain: after recent events, most people are now aware of ransomware and its potentially crippling effects on IT systems.
So, what is WannaCry?
WannaCry was the largest ransomware epidemic in history. Like all ransomware attacks, it encrypted data stored on the victim’s computer and sought to extort money in return for restoring the files to their original state.
Perhaps the main reason for WannaCry’s success is the fact that it spread using the ‘EternalBlue’ exploit leaked by the ShadowBrokers group in in April: this allowed the ransomware to spread automatically, without the need for human interaction.
On Friday 12th May, several large organisations reported an infection simultaneously. Among them were several British hospitals that had to suspend their operations.
As the news about WannaCry broke, it quickly became apparent it was spreading fast, and soon companies and organisations from around the globe were putting their hands up to report that similarly crippling attacks had taken place on their computer networks.
For businesses, the threat from ransomware is very clear. It’s not just the direct cost of the ransom payment that can impact businesses, but also the down-time, remedial actions and reputational costs.
There is, however, a serious perception problem. The headline-grabbing stories were about big enterprises and organisations like the NHS. But the truth is that WannaCry, like other ransomware attacks, didn’t selectively pick its targets: any vulnerable computer was open to attack. Although Microsoft had provided a security update in March, many organisations hadn’t applied the patch.
The threat has brought into question how well prepared businesses are for these types of situations, as criminals are becoming increasingly creative and professional.
What should an organisation do if they’re affected by ransomware?
In the case of ransomware, it’s clear that financial gain is the driving factor. While the ransom demanded by the creators of WannaCry might seem like a small price to pay to restore access to your files ($300 to $600), I would strongly recommend never doing so.
First, there’s no guarantee that the criminals behind the attack will restore encrypted data – Kaspersky Lab estimates that around 20 per cent of people who paid a ransom in 2016 did not recover their data. Second, it only serves to justify these criminals’ business model.
Since the WannaCry attack there have been a number of publicly available tools released that aim to decrypt data encrypted specifically by WannaCry. However, they only work for certain versions of software – and then, only under certain conditions (such as if the computer has not been rebooted following infection). For other ransomware, you should check the NoMoreRansom web site, to see if there’s a free decryption tool that can be used to restore your data.
The UK’s National Cyber Security Centre provides good immediate step-by-step advice if you’ve become a victim of ransomware.
How to prevent ransomware
To help businesses better protect themselves from WannaCry and other similar ransomware attacks – as well as future attacks, Kaspersky Lab recommends the following:
Be very wary about paying the ransom. You might not get your data back; and every payment the cybercriminals receive validates their business model.
Update and patch your operating system. WannaCry capitalised on a specific vulnerability found in Windows. Whilst operating system updates can be inconvenient, they are essential and should be installed as soon as they become available.
Conduct proper and timely backups of your data that can be used to restore original files. Organisations with backups of their data had no need to pay the ransom.
Conduct a security assessment of the control network (i.e. a security audit, penetration testing, gap analysis) to identify and remove any security loopholes. Review external vendor and third party security policies in case they have direct access to the control network.
Audit installed software, not only on devices, but also on all nodes and servers in the network, and keep it updated on all the devices you use. Use a clean system to check the No More Ransom site, where you may find a decryption tool that can help you get your files back.
Request external intelligence from reputable vendors and partners, this helps organisations to predict and guard against future attacks.
Educate your employees, you can’t rely only on technological solutions to protect against ransomware and other types of malware. Whilst this particular attack had the characteristics of a worm – it could spread by itself through a network – most malware gets a foothold by tricking employees into clicking on links or attachments that have been disguised to look innocent.
Use a reliable security solution with behaviour based detection technologies. These technologies can catch malware, including ransomware, by watching how it operates on the attacked system and making it possible to detect fresh and, as yet, unknown samples of ransomware.
Last, but not least, remember that ransomware is a criminal offence. Report it to the local law enforcement agency – in the UK, that’s Action Fraud.
It may seem daunting to some business owners, but in an increasingly digital world, strong cyber security and good security practices are essential. Sadly, cyber security is often considered only after a business has been attacked. However, if there’s one thing WannaCry has demonstrated, it’s that companies must act now to ensure that they are protected in the event that they become a target.
Sourced by David Emm, Principal Security Researcher at Kaspersky Lab
The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here