CISO Lessons From The World's Biggest Ransomware Attack

by Moumita Deb Choudhury    May 15, 2017


What is termed by experts as the ‘biggest ransomware attack in history’ has put cyber security professionals to a rigorous weekend saving credentials. This relatively young piece of ransomware called WanaCrypt0r that been spreading rapidly since Friday, infected  over 75,000 machines in more than 150 countries and hammered industries of all kinds. An international manhunt is underway for the hackers. And all this indeed is a wake up call for CISO.

“Many global organizations did not update servers with the latest ‘patch’ and block known file types (or websites) which are known sources of the ransomware resulting in virtually no protection against the known threat. Indian organizations are also vulnerable due to most of them using outdated (or not updated) versions of operating systems for business operations. Incidents of such nature and magnitude serve as warning signals for both public and private sector enterprises to have a proactive approach and invest in technologies as well as skilled staff to mitigate and remediate cyber incidents,” Mukul Shrivastava, Partner, Fraud Investigation & Dispute Services, EY India.

Read More: In 2017 Cyber Criminals Become More Ambitious Than Ever

 A variant of WanaCrypt0r, named WeCry, was originally discovered in February of this year.  As Gavin Millard, EMEA Technical Director of Tenable Network Security explains, ”With the success of the initial infection of WannaCry, it wouldn’t be at all surprising to see the next iteration released soon. Although there has been a significant amount of interest in the media and inescapable coverage of the outbreak, many systems will still be lacking the MS17-010 patch required to mitigate the threat.”

Anshuman Singh, Senior Director Product Management at Barracuda Networks Inc. said that what makes this piece of ransomware so prolific today is that it is packaged as part of an exploit tool called ETERNALBLUE that leverages a known vulnerability in Windows that was patched in March as part of Windows Updates.  This was an SMB vulnerability, which allowed malicious code to travel from system to system.  Older Windows systems that are no longer supported would not have received a patch, and many supported systems were simply not updated.  Delays caused by compatibility testing and limited resources often leave systems unpatched and at risk.

Read More: 10 Ways Cos Can Minimize Risk Of Ransomware

“The exploit is delivered via email attachment.  Once the exploit is detonated, the worm will spread the ransomware through RDP sessions and the SMB vulnerability referenced above.  The worm does the work of spreading the ransomware to as many systems as possible, as fast as possible.  The ransomware encrypts the target files and presents the ransom note to the victim.  This MalwareBytes thread has a detailed analysis of the code and the executable. The attackers are charging up to $600 in bitcoin for the decryptor,” he added.

Microsoft slammed the US government for not revealing more software vunerabilities. “this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action,” said, Microsoft President Brad Smith in a blog.

“The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits,” he added. 

The India scenario

India was among the countries worst affected by the WannaCry attack,according to data shared by Kaspersky Lab.  Andhra Pradesh Police, four manufacturing companies, four manufacturing companies, two retailers, the India operations of a multinational, two banks and the Chennai facility of automaker are among those effected by this debacle.

“There has already been another variant of the ransomware out yesterday, which does not have a ‘Kill Switch’, making it difficult to contain. The threat actors have upped their ante to ensure the coverage is widespread. As we speak, it has already started infecting countries in UK & Europe, and has not yet spread to India. What is needed is that organizations have a basic hygiene in place, as the modus operandi of these attacks is through phishing emails,” said, ShardaTickoo, Technical Head at Trend Micro, India.

In India there are a large number of individuals and organizations that are still running on older versions of Windows operating system and this makes the country most vunerable. Kartik Shahani, Integrated Security Leader, IBM ISA said, ”This ransomware onslaught is a resounding reminder of security basics and hygiene that is required for organizational networks. The incident could have been avoided if critical patches were applied in time throughout companies across all industries. Enterprises constantly struggle to stay on top of regular patching cycles as this can impact day-to-day operations in some cases.”

Read More: Is Indian Govt Ready For Ransomware Attacks?

Shahani mentioned the IBM team is leveraging Watson for Cyber Security to analyze the data and derive insights to prevent future incidents. Companies will need to have an incident response plan in place to quickly recover and also ensure that employees, suppliers and others who work with them receives regular security training,” he said.

How to stay safe?

In an attempt to be prepared for the threat, India’s Computer Emergency Response Team (CERT-In) has released new directives to deal with this particular ransomware. 

- Keep a back up is most effective way to deal with the threat CERT-In has advised users to back up all their essential files offline, in a hard disk or pendrive

- Users should apply patches to their Windows system(s) as mentioned in the Microsoft Bulletin MS17-010 Don’t open emails or links in e-mails from people even in your contact list.

- E-mail has proven to an effective carrier in the case of ‘Wannacry’ ransomeware Avoid downloading from websites that are not trustworthy; including attachments from unsolicited e-mails Update Antivirus on all your systems and download Microsoft’s latest software patches. 

- While browsing, stay away from unsafe websites and use essential filters on your browser. Use security tools on IT ministry website for higher safety