In a blog post earlier this year, I said that ransomware was a potential goldmine for criminals and that it was urgent for organizations to update their risk assessments and to proactively prepare for an attack.
We did not have to wait long to see the threat from ransomware materialize on a global scale. The WannaCry malware attack in May was one of the most dramatic cybersecurity incidents we have ever seen. But it was also completely predictable. Those organizations that had the right processes and procedures in place were able to defend themselves successfully.
In fact, the cybersecurity community had been expecting the attack since the end of 2016. Last year, the National Security Agency (NSA) in the US was hacked by a team called the Shadow Brokers. The Shadow Brokers then made available on the dark web one of the NSA’s spying tools, the EternalBlue exploit. That exploit, which targets a vulnerability in the Server Message Block (SMB) of some Microsoft Windows systems, is the ultimate source of the WannaCry worm.
Organizations following best practice in cybersecurity knew about this threat and protected themselves. A global alert was issued by the US Computer Emergency Readiness Team (CERT) in January 2017 and Microsoft released a patch in March. Organizations with good cybersecurity intelligence understood the threat and installed the patch immediately. Those organizations that were not aware were blindsided by the attack. If people clicked on the email with the WannaCry virus, they spread it across every organization without a patch, potentially taking their entire IT systems hostage unless they paid a ransom.
In a way, companies were lucky that the attack only happened after a patch was made available. If the attack had happened at the end of 2016, many more companies would have been affected.
Learning the lessons
There is no single solution for making sure that an organization is safe from attacks such as WannaCry. At Atos, we believe in an approach that incorporates all the following elements.
An effective cybersecurity strategy depends on a risk management approach that allows an organization to understand the threats.
For example, five years ago we had not heard of the ransomware threat and WannaCry did not exist. Organizations need to update their security risks management to make sure they address all the latest threats. As best practice, risk management should be updated at least twice a year, and whenever a new threat is identified.
Back-up and recovery
Back-up and recovery are the 101 of cybersecurity. Unfortunately, some organizations do not have the resources to update or integrate their new IT environments into existing security policies or into their back-up plans. That makes them very vulnerable to ransomware attacks. An organization with a good back-up and recovery strategy will know that their data is secure, so they do not have to pay the ransom.
Patch management and proactive intelligence
Organizations had two months to patch ahead of the WannaCry attack. Even before a patch was available, they could have put in different controls after the US-CERT advisory alert. This is why we believe that what organizations need is proactive intelligence. This enables them to understand what the bad guys are up to, so the experts can put in place security controls and block this type of attack.
People are the weakest link in cybersecurity. You only need one person to fall for a malicious email and an entire company of 100,000 people will be affected. Employees need to be educated not to open emails if they are not legitimate, even if it seems to come from someone they know.
Preparing for the future, winning the war
WannaCry was not the first ransomware attack and it is not going to be the last. The volume of attacks is increasing and the new generation of ransomware is likely to be sophisticated.
In 2016, over 4,000 such attacks were launched every day. It is a lucrative business for criminals, as many organizations do choose to pay the ransom to recover their data. An extremely worrying new trend is ransomware as a service: cybercriminals can now create an attack on demand for a malicious customer.
The criminals are creative. But we can win this cyberwar.
WannaCry was a good example of how we can get one step ahead of the cybercriminals and prepare for the threat before it is launched. Organizations now need to review their strategies and invest in the appropriate measures – the return on investment has never been higher.