Lessons From the WannaCry Ransomware Attack

Jared Hamilton
| 5/15/2017

The unprecedented worldwide ransomware cyberattack that was carried out late last week is an important reminder that an effective cybersecurity program includes many vital components – including good patch management, data backup controls, security awareness training, anti-phishing campaigns, and a complete and updated incident response plan.

The WannaCry attack is reported to have been predominantly carried out through phishing emails asking unsuspecting end users to open a file. The tremendous impact of the attack caught organizations by surprise, and many were unprepared to thwart or effectively respond to the infections. Targeted end users simply clicked links to set off a vicious chain of events that resulted in organizations going offline, lost access to critical records, rerouted services, and clients unable to receive critical services.

The malware targeted a known Microsoft® vulnerability for which a patch became available in March in Microsoft Security Bulletin MS17-010. When the end-user victim initiated the malware installation on an unpatched machine, the victim’s data was encrypted and held for ransom by the attacker. Attackers asked for anonymous payment in bitcoin in exchange for releasing the files and returning system access to the end user. The malware also scanned devices connected to the internet for open services in order to launch the attack.

Beyond good patch management and data backup controls, the best way to impede an infection is to prevent malware exposure in the first place. The reported number one point of entry for malware in this attack, as in many previous attacks, was through end-user computers with access given by the end users themselves. As this attack shows, organizations that implement effective and ongoing security awareness training and anti-phishing campaigns are decisively at much lower risk of infection through these common and increasingly sophisticated attacks.

However, even with the best safeguards in place, it’s not possible to be 100 percent immune from every attack. Recognizing that becoming the target of a cyberattack is not a question of if, but when, an incident will occur, organizations need to be prepared to respond with a properly designed incident response plan. A complete and updated plan will help ensure organizations are prepared to respond.

Unfortunately, this threat is not new. Malware has existed for more than 20 years, has been using unpatched vulnerabilities to spread and propagate for many years, and has been holding computers and data hostage for more than 10 years. Organizations don’t need special protections. They simply need to use a layered security approach to protect themselves from all malware threats. Organizations should consider implementing the following tactics:

  • Rapid patch management. Organizations should install MS17-010 – but that only solves today’s problem. What about tomorrow’s flavor of the day? A security program that is reactionary in nature is not going to be effective in the long run. Organizations should implement a robust vulnerability and patch management program to proactively identify vulnerabilities and patch them before adversaries can take advantage of them.
  • Principle of least privilege. Users should not have local administrative rights. If they do, they essentially are conducting some of the highest-risk activities (email and web browsing – where the majority of malware comes from) with the highest privilege, which could, in turn, inadvertently grant that right to malware.
  • Minimization. Only services that are necessary for a system to function should be exposed to the internet. Organizations that are good at the security principle of minimization (on both internal and external networks) drastically reduce the amount of data that can be attacked to make themselves a much smaller, harder-to-hit target for opportunistic threat actors.
  • Network content filtering. Controlling what is allowed in and out of the network through content filtering solutions (such as web proxies and email filters) can further reduce an organization’s exposure to attack and help prevent known threats.
  • Malicious code protections. These protections can come in many forms – including anti-virus and application whitelisting – both of which can be effective in helping prevent unwanted code execution.
  • Backups. Organizations should ensure they have the ability to recover their data if all other preventive controls fail.
  • Incident response plan. In addition to having backups, it is essential to have a plan outlining how to respond in the event of a cyber incident.

Focusing on the most recent threat can lead to a shortsighted approach to security. Instead, organizations need to use a layered security approach to provide the best protection possible for today and for tomorrow as well.

For comprehensive, in-depth cybersecurity guidance, contact us.

Microsoft is either a registered trademark or a trademark of Microsoft Corp. in the United States and/or other countries.