The infamous WannaCry ransomware attack of May 2017, which infected more than 300,000 devices across 150 countries, is still regarded as the most prolific of its kind. Hospitals in the UK were temporarily shut down. Ambulances were diverted, surgeries were cancelled, and appointments were postponed. Yet, despite the widespread damage that was caused by WannaCry, it was by no means the most profitable, nor was it the most sophisticated type of attack. The attack was made possible due to a vulnerability found in the Microsoft Windows Server Message Block (SMB) protocol. A patch was released in March 2017, only many failed to install the patch before it was too late. Even though the storm has long since passed, WannaCry is still technically out there, as these kinds of self-propagating ransomware strains only really disappear when everyone knows how to identify them. So, what lessons have been learned?
WannaCry Has Changed How We Think About Ransomware
Well, the most obvious lessons include the importance of ensuring that our software has the latest patches installed, and that we have a well-rehearsed backup and restore policy in place. The extensive media coverage of the WannaCry attack was a blessing in disguise as it raised our awareness to the potential havoc that can be caused by such attacks. Since then, many organisations have been focusing on improving their security hygiene in an attempt to mitigate any future ransomware attacks. Some have looked towards a concept known as “zero-trust”, which is centred around the principal that organisations should not automatically trust anything, whether it is inside or outside of the network perimeters. Instead, everything must be verified before it can be granted access to the system.
Another valuable lesson we can learn from WannaCry is the importance of network segmentation. Network segmentation is a very effective way to stop the spread of ransomware infections. For example, by isolating the systems used by accounting, IT, HR, and third-party contractors, we can setup common sense controls which restrict the data that flows between these departments.
Threat Intelligence Solutions
A number of organisations are starting to make use of threat intelligence solutions, which collect information from multiple sources such as security blogs, news feeds and more. The data collected can used by Intrusion Prevention Systems (IPS) to help identify files that contain a continuous sequence of bytes that are common for a certain ransomware strain. However, it should be noted that signatures – such as those used by anti-virus software – are not always effective at detecting ransomware. It is often the case where the creators of the ransomware program use a variety of obfuscation methods to cover their tracks. As such, more sophisticated methods are required.
As increasingly more companies begin to adopt file auditing solutions to ensure that they are able to detect, alert, report and respond to suspicious file and folder activity, they are also becoming increasingly aware of the importance of “threshold alerting”. Threshold alerting enables organisations to detect, alert and respond to certain events based on a threshold condition. For example, if X number of files are encrypted within a specified period of time, an automated response can be initiated which may stop a specific process, disable a user account, change the firewall configuration settings, or shut down the server. File Server auditing solutions cannot be used to prevent a ransomware attack from being launched, however; when used in combination with network segmentation it can be very effective at minimizing the damage a ransomware attack can cause.
At the end of the day, technology alone is not enough to protect us from ransomware attacks. Unless we do everything we can to ensure that staff members are sufficiently trained to spot suspicious emails and potentially malicious websites, attacks similar to WannaCry will no doubt continue.