THE BLOG

To Pay Or Not To Pay? What We Should Learn From The WannaCry And ExPetr Attacks

01/08/2017 12:10

For many people, WannaCry was the first they had heard of ransomware. Many others had just a vague awareness of the problem and the potential damages that ransomware can inflict.

The threat from cybercrime generally, and ransomware in particular, is one that we must all take seriously. The criminals behind ransomware direct their attacks mainly at consumers. Nevertheless, the number of attacks on businesses continues to grow: at the start of 2016, around 17 per cent of crypto-ransomware attacks targeted the corporate sector; by the end of the year, this had risen to around 24 per cent.

As WannaCry showed, unpatched operating systems become "easy targets". Therefore, individuals and businesses alike must automate the update process and invest in software that protects against malware - not only on traditional computers, but on tablets and mobile phones as well.

As the news about WannaCry broke, it quickly became apparent that the attack was spreading fast, as companies and organisations around the globe put their hands up to report that attacks had taken place on their computer networks.

The WannaCry outbreak stood out from all previous ransomware attacks due to the speed with which it spread, exploiting a vulnerability in Windows that Microsoft had already patched: sadly, many organisations had failed to apply the patch. Having infected vulnerable computers, the malware encrypted data and demanded a ransom of between $300 and $600 to decrypt it. WannaCry infected more than 200,000 computers in more than 150 countries.

ExPetr was unleashed on 27 June, just weeks after the WannaCry epidemic. The malware attacked at least 2,000 targets - mostly organisations in Ukraine and Russia, although businesses in Poland, Italy, Germany, Great Britain, China, France and several other countries were also affected.

It seemed like yet another ransomware attack - albeit a more targeted one. However, it soon became apparent that ExPetr was a wiper masquerading as ransomware - that is, its aim was to destroy data rather than to extort money from the victims. The encryption code in ExPetr was implemented in such a way that it was completely impossible to decrypt files, even if the victims paid the ransom. Clearly, for businesses of any kind, but especially industrial facilities and critical infrastructure installations, the consequences of a successful attack malware of this sort can be devastating.

What did WannaCry and ExPetr have in common? They both exploited a vulnerability (more than one, in the case of ExPetr) in order to spread. The update to fix the vulnerability was already available. But many organisations hadn't applied the patch.

This issue isn't peculiar to WannaCry and ExPetr, or even to ransomware. Many malicious programs take advantage of vulnerabilities in operating systems and applications in order to infect and spread. By applying updates as soon as they become available, organisations can reduce their exposure to attack. What WannaCry and ExPetr have done is to throw this problem into sharp relief and to underline the crippling effects that ransomware can have on IT systems.

Preventing ransomware

Cybersecurity is an ongoing process that involves more than deploying an "out-of-the-box" solution. It must include the development of security policies and processes, and these must be reviewed on a regular basis to ensure that they are appropriate.

In addition, it's important to note that these measures don't just apply to organisations - individual consumers are at much as risk as companies when it comes to cyber-attacks. It's tempting to click 'remind me later' when you get a pop-up update notification, especially when you're in the middle of a task, but by delaying the installation you're putting your cyber-safety at risk. WannaCry and ExPetr capitalised on specific vulnerabilities in Windows that Microsoft had already fixed - the computers that were hit wouldn't have been infected had the victims applied the appropriate patches. Applying updates as soon as they're available is a crucial first step in ensuring your safety - and the following checklist provides additional points for developing best cyber-security practice:

Backup data regularly. Data should be backed-up to a drive or device that is not normally connected to the computer - otherwise data stored on it could be encrypted too if you fall victim to a ransomware attack.

Use a security solution that includes behavior-based detection technologies. Proactive technologies can catch malware, including ransomware, by monitoring how it operates on an attacked system and making it possible to detect fresh, unknown, samples of ransomware.

Conduct a security assessment of the network (including a security audit, penetration testing and gap analysis) to identify and remove any security loopholes. Review external vendor and third-party security policies, since they might also have access to your network.

Implement good network management practices. Don't assign administrator rights to staff automatically; restrict write access to data and segment the network to restrict lateral movement of malware that gets through the perimeter defences.

Make use of external intelligence: intelligence from reputable vendors and partners helps organisations to predict and guard against future attacks.

Educate your employees. While WannaCry and ExPetr spread automatically, without human involvement, most malware gains a foothold in an organisation by tricking employees into doing something that jeopardises corporate security. Therefore, it's vital to develop a security culture in your organisation. In particular, encourage staff to be cautious about opening email attachments or clicking on links.

Don't pay the ransom. As ExPetr has shown, even if malware adopts the modus operandi of ransomware, it might be designed to destroy data instead. But even in the case of 'standard' ransomware, there's no guarantee that the criminals behind the attack will decrypt your data (Kaspersky Lab estimates that 20 per cent of people who paid a ransom in 2016 didn't get their data back). Use a clean system to check the No More Ransom site, where you might find a decryption tool to recover the data.

Comments

CONVERSATIONS