If your only takeaway from the WannaCry ransomware attack is “gosh, we need a better patch management process” or “maybe, it’s time to move off these old operating systems,” then you’re probably a soft target for the next attack. This watershed moment signals a major and important shift in the evolution of ransomware.
As a disaster recovery professional, I keep a close eye on all events that cause data-loss or prevent people from doing work (downtime), so we can modify our products or better educate people on how to protect themselves. Since 2015, ransomware has been the number one threat to downtime. And to me, the biggest threat born from the May 2017 WannaCry ransomware attack is the false sense of security many people may feel after they’ve patched their Microsoft systems.
The organization(s) involved in the WannaCry campaign weren’t so unique from other ransomware campaigns: they paired an exploit kit with ransomware to gain access to systems, encrypt data and collect payments.
What separated WannaCry from the pack was how they acquired the exploit itself (i.e., from the National Security Agency, the NSA) and the sheer size of the campaign.
I’m going to put aside the obvious point that the NSA and other government organizations need to seriously wake-up when it comes to their own security and focus on how this sets the tone for the future of cybercriminal organizations using ransomware. Here are three key takeaways from the WannaCry pandemic:
- There will be more, many more. Anytime someone starts making money, other people join in. When someone make a lot of money, the market floods with new actors trying to snatch a piece of that pie. The growth of ransomware was already accelerating, but with the massive success of WannaCry, it’ll surely signal even more growth and beckon new criminal organizations to join the fray. As Bruce Schneier says: “Criminals go where the money is, and cybercriminals are no exceptions.”
- Expect more, larger-scale campaigns. Wannacry succeeded as a global campaign, despite some junior execution errors including typos, grammar mistakes, kill switches left in the code (which effectively neutered the ransomware by simply registering a cryptic domain name for $10.96). No doubt, a better, more coordinated campaign at the same scale will happen and is probably already being planned and will wreak significantly more havoc.
- Increased Demand for Ransomware-as-a-Service. To date, most ransomware campaigns use exploits that take advantage of known issues that can be found in recent patch notes for operating systems, firewalls or simply look for common gaps in poorly managed IT environments with loose user-account controls (UACs). WannaCry’s success with a weaponized worm and a stolen operating system exploit has certainly increased demand for professionally (criminally) developed and/or stolen exploits.
Fortunately, these trends should not change your security and business continuity game plan.
PUT SIMPLY, YOU NEED A RANSOMWARE RECOVERY PLAN.
Fortunately, such solutions exist and the good ones will protect you from a broad range of downtime threats, including ransomware, hardware failures, software errors and natural disasters.
Consider again the words of security expert Bruce Schneier:
I’ve never figured out the fuss over ransomware…the single most important thing any company or individual can do to improve security is have a good backup strategy. It’s been true for decades, and it’s still true today.[i]
The implication here is that a ‘good backup strategy’ includes a good recovery plan, which is dependent upon your business needs and just how quickly you need to recover full systems and/or files in the wake of an attack or server outage. If you can reliably and quickly recover your systems, you’ve completed the most crucial part of your ransomware preparation and help reduce the size of that target on your back.
The optimist in me expects people to learn and act, the pessimist expects the wrong lessons will be learned with no action, so the realist writes and educates.
________________________________[i] Bruce Schneier Blog, June 16, 2008