Ransomware remains a big issue — what have we learned since and lessons for the future
It may be hard to believe, but five years after WannaCry similar attacks are still happening. In
fact, this past January
WannaCry was the top most detected ransomware. It is important to note detections do not mean that
organizations were
actually infected.
What Happened?
On May 12, 2017, there were more than 45,000 attacks attributed to WannaCry around the globe,
including China, Egypt,
India, Italy, Russia and the United Kingdom. It gradually spread to the U.S. and other regions, but
Europe was among the
hardest hit. Instead of a targeted attack, the malware advanced far and wide.
WannaCry was one of the first times everyday citizens saw the effects of a cyber attack. The
offensive cost the U.K.’s
National Health Service (NHS) nearly £100 million and led to 19,000 appointments being canceled.
Though the NHS was not
specifically targeted, it was caught in the crosshairs and suffered major losses.
First discovered by the National Security Agency (NSA), WannaCry was believed to have exploited a
Microsoft Windows
vulnerability. The attackers, part of the Lazarus Group, had ties to North Korea, and in February of
2021 three
programmers were indicted by the U.S. government.
At the time of the attack, a patch existed that could have prevented WannaCry, but many
organizations had not yet
installed it.
What Have We Learned?
Five years later, WannaCry remains active. By the same token, some companies still have parts of
their network exposed
to the internet that should not be, making them vulnerable to attacks similar to WannaCry.
Victims are still plagued by one of the core exploitation vectors that WannaCry used to exploit
organizations and
proliferate, but now via new ransomware and malware families.
Organizations still need to look at what is externally open to the internet, and close
external-facing ports and
protocols, specifically around the Server Message Block (SMB). SMB is a Windows communication
protocol for shared access
to files and printers on a network.
CyberOperation Analysis
In addition, the WannaCry anniversary emphasizes that ransomware compromises have increased
exponentially, despite
massive media attention.
Given the significant coverage, both technical and high level, much of the industry anticipated it
would prompt
organizations to take real defensive action. Yet over the past five years, CyberOperation Threat
Intelligence has
witnessed ransomware actors use near-identical methodologies (and in many instances identical
tooling) to accomplish
their mission.
How to Protect Your Organization
As mentioned above, SMB is a Windows communication protocol for shared access to files and printers
on a network.
Another important action is to regularly patch your systems. While this is not always an easy task,
it is extremely
important and could have prevented organizations from getting infected with WannaCry.
Organizations need to focus on minimizing potential attack vectors by understanding how their
systems are accessed and
the functions they provide. From this perspective, organizations can place controls around
identified risks such as
allowing deprecated protocols for backward compatibility of legacy systems.
If nothing else, WannaCry’s five-year anniversary should serve as a bullish reminder to those
organizations that have
not taken defensive measures. More than anything, it shows there's still work to be done.