A piece of ransomware known as “WannaCry” paralyzed businesses, government entities, and Britain’s National Health Service, encrypting computer files on infected machines unless the owner paid a $300 ransom. All told, more than 300,000 computers have been knocked offline in an attack that has wound its way through nearly every country on Earth.
The attack exposed major shortcomings in the approach of governments as well as businesses around the world to cybersecurity. And it shows just how inadequate our existing approach to cybersecurity is in the face of the widespread availability of software exploits and the increasing prevalence of malicious actors online.
Britain’s National Health Service was hit hard because the cash-strapped hospital system did not upgrade to the most recent versions of the Windows operating system — an outdated system Microsoft long ago stopped supporting.
The malware’s spread was slowed Friday in part because Microsoft took the rare step of offering an emergency patch to the old Windows XP systems (something that typically does not happen with unsupported software)—and in part because a 22-year-old cybersecurity researcher who calls himself MalwareTech discovered and activated what appears to have been a “kill switch” buried in the malware code. Companies can’t count on these types of developments to constrain the next attack.
Like so much of the malicious activity on the internet, the attack took advantage of known vulnerabilities. Back in March, Microsoft had, in fact, pushed out a patch to the vulnerability that the WannaCry ransomware was able to exploit. The problem was that many businesses and institutions hadn’t applied the patch — and on a broader level many institutions consistently lag behind in updating their software or continue to use older operating systems that aren’t supported by new security updates.
While no set of defenses can be guaranteed to withstand a sustained attack from a sophisticated attacker, they can still go a long ways toward reducing and mitigating risk: According to the Department of Homeland Security, as many as 85% of targeted cyberattacks are preventable through these basic risk-mitigation measures.
So what can businesses do right now?
First, every business should examine what it is doing to protect against phishing attacks (i.e., e-mails from bad guys with malware attached, where clicking introduces the threat to the system). Warning and educating employees about these threats is obviously a good idea — but a more effective tactic is to run a “red team” type test by sending fake phishing emails out to employees and seeing how many people fall for them. Companies can then follow up with better training after they’ve accurately diagnosed the extent of their vulnerability.
Second, as the WannaCry attack clearly shows, it’s imperative for businesses to make sure they are constantly updating their software and installing appropriate security patches. That also means keeping current with the latest operating systems; oftentimes, a patch might only work with the most current system, leaving older ones in a state of ever-worsening security limbo (as has been the case with Windows XP).
And the ransomware attack carries another important, related lesson: The patch that Microsoft had pushed out in March did not have a large red sign next to it that said, “URGENT Patch Needed To Prevent Against Devastating Ransomware Attack.” The update was offered quietly without a further description. Whatever the reason for this (and perhaps it was because Microsoft didn’t want to alarm users or call attention to the vulnerability), the fact remains that you may not know until it is too late whether an update is a critical cybersecurity measure or whether it just adds some new feature or fixes an obscure bug in the software.
Third and maybe most critically, companies should game out these cyber scenarios and have a plan in place for how to handle them. Every business (whether in the tech sector or not) should consider what its worst-case cyber event would look like and how that event would be handled. What corporate governance structures would kick in — and are there ways to elevate problems directly to the CEO? Does the legal department have the right kind of relationship with the IT people so that the lawyers can understand what’s going on? Companies should also consider — in advance — what their policy should be for notifying law enforcement. And, in the event of a ransomware attack, they should consider whether they would heed the FBI’s advice not to pay in all cases or would be willing to take some other approach if their business depended on it.
These decisions are complicated, and there is probably no one-size-fits-all set of answers. The legal fallout can also be sprawling — ranging from possible consumer-privacy litigation, to shareholder suits, to cooperating in criminal investigations. The ramifications can even include being drawn into an international incident with a foreign adversary, as was shown by the Sony hack in 2014 — and as current reporting is suggesting may be the case here. A business that falls victim to an attack also likely won’t know who is behind the attack for some time, and so will be forced to make these decisions with imperfect information about whether it is dealing with ordinary crooks, a hostile nation-state, a terrorist organization, or some combination of these actors working in concert.
Planning for these scenarios and putting safety measures in place may sound expensive and onerous. But as the past weekend has shown, the cost of not preparing for them can be far higher. And unfortunately, businesses cannot count on governments to do this work for them. While federal agencies continue to assess their own vulnerabilities, the private sector must harness its own abilities to adapt and innovate in order to be better prepared for the next attack.
How to avoid WannaCry
1. Make safe and secure backups
Once your files are encrypted, your options are limited. Recovery from backups is one of them.
‘Unfortunately, most people don’t have them,’ Mr Abrams says.
Backups often are also out of date and missing critical information. With this attack, Abrams recommends trying to recover the ‘shadow volume’ copies some versions of Windows have.
Some ransomware can also target backup files, though.
Mr Abrams recommends making multiple backups to both cloud services and physical disk drives, at frequent intervals.
It’s a good idea to back up files to a drive that remains entirely disconnected from your network, he says.
2. Update and patch your systems
The latest ransomware was successful because of a combination of factors.
Those include a known and highly dangerous security hole in Microsoft Windows, users who didn’t apply Microsoft’s March software fix, and malware designed to spread quickly once inside university, business and government networks.
Updating software will take care of most vulnerabilities.
‘Hopefully people are learning how important it is to apply these patches,’ said Darien Huss, a senior security research engineer for cybersecurity firm Proofpoint, who helped stem the reach of the weekend attack.
‘I hope that if another attack occurs, the damage will be a lot less. But there are obviously many, many computers out there and some people still, I feel, will not think that they need to patch their computer, so if an attack like this occurs again, there will still be infections.’
3. Use antivirus software
Using antivirus software will protect you from the most basic, well-known viruses by scanning your system against their known ‘fingerprints’.
Low-end criminals take advantage of less-savvy users with these viruses, even though malware is constantly changing and antivirus is frequently days behind detecting it.
4. Educate your workforce
Basic protocol such as stressing that workers shouldn’t click on questionable links or open suspicious attachments can save headaches.
System administrators should ensure that employees don’t have unnecessary access to parts of the network that aren’t critical to their work.
This helps limit the spread of ransomware if hackers do get into your system.
5. If hit, don’t ‘wait and see’
Some organisations disconnect computers as a precautionary measure.
Shutting down a network can prevent the continued encryption – and possible loss – of more files.
Hackers will sometimes encourage you to keep your computer on and linked to the network, but don’t be fooled.
If you’re facing a ransom demand and locked out of your files, law enforcement and cybersecurity experts discourage paying ransoms because it gives incentives to hackers and pays for their future attacks.
There’s also no guarantee all files will be restored.
Many organisations without updated backups may decide that regaining access to critical files, such as customer data, and avoiding public embarrassment is worth the cost.
‘My answer is, never pay the ransom,’ Mr Abrams says.
‘But at the same time, I also know that if you’re someone who’s been affected and you’ve lost all your children’s photographs or you’ve lost all your data or you lost your thesis, sometimes $300 is worth it, you know?’