A necessary wakeup call: how the WannaCry attack was a good thing

WannaCry, or WannaCrypt0r 2.0, has served an important purpose. It was a much needed wake-up call for both the public and private sector. Until recently, public bodies had been overly-complacent when it came to protecting themselves against ransomware.

A Freedom of Information request in 2016 found that 47% of NHS Trusts in England had already been hit with ransomware attacks, and the data from previous years revealed that one third of councils had also fallen victim to such attacks. The sheer scale of the infection is unprecedented. In light of this, you’d expect public bodies to have adopted a more vigilant approach by now.

>See also: NHS Trust successfully fought back WannaCry ransomware with AI

Now that public awareness to the inexorable nature of ransomware has been raised, more resources must be allocated to IT departments in order to help mitigate further attacks. Aside from focusing on external threat prevention, organisations need to start paying more attention to what’s happening on the inside.

They will need to focus more on the access rights that are granted to users across their corporate network. Detecting data abnormalities and repeating patterns in real-time provides another security layer that could have prevented the spread of ransomware.

The ticking time bomb

Many organisations, particularly NHS Trusts and councils, know that ransomware is a problem and has been for some time. They just lack the necessary resources to ensure that they are well prepared and protected.

>See also: WannaCry showed that firms need a stronger line of cyber defence

For IT teams, justifying the need for additional resources to help deal with a threat that might happen is a challenge, especially when resources are scarce. However, the scale of the recent outbreak will put pressure on Governments to step-up their game. In that respect, it’s the best thing that could have happened – obviously not for those infected – but it goes to show that ‘hope’ is not a sufficient security strategy.

Come in…we’ve been expecting you

Ransomware attacks are usually the result of human error, and are typically initiated by clicking links in suspicious emails, or not following best practice procedures when downloading files and applications. No matter how well protected you are from external threats, ransomware can still find its way onto your system, whether intentionally or by accident.

WannaCry primarily exploited a vulnerability within the Windows Operating system, more specifically the SMB protocol to allow it to escalate privileges, move quickly through the network and encrypt any file it can get access to on a Windows machine that is not properly patched.

Attacks evolve in step with the various defence mechanisms deployed by security experts, so there’s a good chance that ransomware will find its way on to your corporate system. With this in mind, the question becomes, how quickly can you shut down a ransomware attack?

>See also: The global ransomware attack a cyber wake-up call

Some commercial vendors have been developing software that can help you spot a ransomware infection by monitoring anomalies associated with the files, folders and permissions on your network. This can help prevent/limit the damage caused by such attacks. These solutions are relatively easy to use and can be installed in minutes.

A threshold alert can be set to identify if, for example, 20 file modifications occur inside two minutes – which could indicate a threat, and alert the IT team. On detection of a suspected threat it can also be configured to take further action, e.g. run a script to turn on a firewall, disable a user account, turn on extra security, and so on. This is a powerful feature as it provides the flexibility necessary for organisations with different levels of security posture.

What has been learnt from WannaCry

It’s easy in hindsight to point out what should have been done to prevent the recent ransomware attack, especially when it appears it could so easily have been avoided. Yet, we’re here, and it’s happened. The big question is, apart from the obvious patching issues, what else could have been done to detect, react and more importantly reduce the impact of this cyber-attack?

One of the reasons this attack had such a significant impact was the sheer volume of data that users had access to in the first place. The other reason this threat caused so much disruption in most cases was because, by the time it was detected, much of the damage was already done.

>See also: Ransomware: the new highway robbery

Very few of the victims had in place any means of alerting about trends regarding ‘file modifications’ or ‘failed access’ attempts on files and folders, which could have helped prevent the spread of the attack.

While there are a number of vendors offering solutions that address these problems, most of them are too complicated to deploy, or too expensive for the majority of the market.

However, using low-cost off-the-shelf auditing software, such attacks can be detected in the early stages and stopped in their tracks. Make sure you are prepared for when it happens again, as it’s likely that the next wave of attacks will be even more sophisticated.

 

Sourced by Aidan Simister, CEO, Lepide

 

The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...