The recent outbreak of the WannaCry (specifically WannaCrypt0r 2.0) ransomware has hit over 200,000 hosts in more than 100 countries around the world. Affecting multi-billion dollar companies, national health services and many other entities. Many news outlets are reporting this as an “attack” because of the widespread impact that it has caused, which gives the idea that these entities were targeted, this is not true.
An “attack” implies that entities are specifically targeted, in the case of WannaCry this was simply not the case, primarily because of the way which the ransomware spreads. Unlike many other ransomware viruses WannaCry can “worm” its way onto other systems by exploiting several known vulnerabilities within the Windows operating system. This raises the question, “why have these vulnerabilities not been patched if they are known about?”, well that’s the thing, they have been. These vulnerabilities have been patched in recent Windows updates for the latest operating systems. So, if the solution to prevent this kind of replicating behavior has been around for some time, why has the outbreak happened? In a nutshell, it is a lack of people using best practice techniques.
A lot of organizations want to thoroughly test new patches (be this Windows or other applications) before rolling this out to each applicable host on their enterprise network, this can take a little time. The vulnerability that allows WannaCry to replicate was leaked in April by a group of hackers going by the name “Shadow Brokers,” this was leaked after Microsoft released the patch that repairs the vulnerability. Large enterprises, although may test and approve the patch quickly, will take a lot longer to roll out the patch depending on their process.
You may ask why do these organizations take such a cautious approach with updates from a well-respected organization such as Microsoft? Well this is because some updates have the potential to cause issues to day to day activities which then cause more pain for the IT department. Patching is not a guaranteed art, for every problem you solve you may be creating another one which can lay undetected for some time.
Not that taking time to do patching is the whole problem, there are other factors. Many organizations have key legacy applications which have been running for years and production services which are heavily dependent on these legacy servers. Due to various factors these applications cannot be upgraded or have their servers operating systems updated, due to potential losses of functionality. If you don’t patch and keep up to the latest software levels you are going to be highly susceptible to well-known exploits, which on most up to date systems are not even the slightest cause for concern. This dependence therefore on aged software is a key issue for organizations.
The issues raised above do not however address how the ransomware got on the network in the first place. Typically, most ransomware comes from attached files in junk emails which are then opened by end users, causing the malware to get installed on their respective machine.
Many users, simply just don’t think of the implications of opening a junk email and any attachments held within. This lack of awareness is a significant weakness in the current security environment.
What can we learn from all of this?
- Endpoints (user computers & servers) should have routing patching and updates to ensure any patches for already detected vulnerabilities are installed.
- Endpoints running no longer supported operating systems should either be upgraded or replaced with newer hardware capable of meeting today’s security & performance requirements.
- Legacy infrastructure should be upgraded as soon as possible or given as much security as possible. Having them placed in a heavily restricted DMZ, with a strict firewall policy in place with URL & IP reputation filtering, file blocking profiles & deep inspection enabled along with a cutting-edge endpoint protection platform is critical.
- Email screening platforms should be placed in every organization to ensure that any malicious / unwanted emails are not filtered down to unsuspecting end users.
- Upgrades from existing firewalls to next generation firewalls should be carried out which provide far greater analysis of traffic and tighter security.
It’s important to understand that the threat isn’t over. Due to how successful the WannaCry ransomware has been there will be many more ransomware attempts in the coming days and weeks. Microsoft has released a patch for old OS’s (XP, Server 2003) in a highly unusual but welcome move, so any devices running these old operating systems should be patched immediately so that hackers are not able to exploit the same vulnerabilities again. Ensuring that all endpoints have at least some sort of protection is also key, even if this is a free antivirus piece, as any security is better than no security. These two simple tasks, which should be quick to implement, should mitigate any further attempts to exploit the vulnerabilities used by the current version of WannaCry. But do not be fooled into thinking this will keep you safe from everything.
To ensure a business is secure requires a robust security strategy with appropriate IT infrastructure, specialist oversight and consistent vigilance. If you do not believe your organization is properly protected, we advise you to have a system analysis carried out by a trusted managed security service provider as soon as possible.