Learning the lessons from WannaCry

The WannaCry ransomware struck businesses and organisations all around the world. Andrew Costis, threat research and incident response engineer at LogRhythm, looks at what lessons can be learned for the future.

By John Oates

Mon 29 May 2017 @ 11:02

The WannaCry attacks dominated the headlines in mid May even though ransomware has been a widespread problem for several years.

WannaCry has been the largest and fastest-spreading ransomware attack ever seen - hitting high-profile organisations in 150 countries by exploiting a vulnerability stolen from the NSA.

While it appears the actual damage done, and the ransoms paid, were significantly less than originally predicted, businesses can still use this opportunity to check they are doing all they can to stay safe.

Andrew Costis, threat research and incident response engineer at LogRhythm, said there were lessons to be learned for all organisations from the WannaCry outbreak.

“The first lesson for business is to keep up to date with patches. Using certified and supported software is vital as is an active patching programme, whether you’re using Microsoft or software from another vendor.

This is just good housekeeping – we’re all aware of how important it is to keep our mobile phones updated. We need to get into the same mindset.

There can be issues with this – if you have bespoke applications which need testing, for instance, but you need to balance the real risk of ransomware against the potential risk of problems with certain applications or hardware.

Secondly, make sure you have current and regular back-ups. It is amazing how many organisations we talk to that have to go back a month or even longer if something goes wrong.

It’s a basic thing, again I think of the phone analogy – we know we need to back up our photos and contacts and to the cloud.

We would recommend running at least a monthly check to verify those back-ups. And that means trying to do a restore from them to check they’re not corrupted. You need to be able to get core servers back up and running fast if necessary.

These simple lessons would have kept most organisations safe from WannaCry.

Beyond that you need to think about layered security which gives you real insight into what’s happening on your network because these security issues are not going to go away.”

Costis also said with so much public awareness of the issue of ransomware, now is an ideal time to ramp up staff education.

Internally LogRhythm runs monthly security training based around different themes such as password best practice and email policies. This even includes sending test phishing emails to gauge how staff respond to suspicious messages.

The company also uses regularly changed posters on the walls of its offices. Some companies use PC desktop wallpaper to provide timely security tips that are impossible to miss. Any way to promote and educate is better than doing nothing.

Given the huge number of organisations that were hit by WannaCry, now is also a good time to revisit incident response plans.

Costis said: “The old saying is true – it’s not if you will suffer a breach, it is when you will.”

He cited the example of a company that suspected a desktop machine had been compromised but did not have any plan in place to deal with such an incident.

Companies need to be able to instantly quarantine a suspect machine. They need the ability to run forensics on it to see if it is benign or has been hit by a real attack.

These attack signatures can then be used to run a historical check to check the rest of the network. However, no matter how good defences are, businesses need to have a back-up plan in case of failure.

Costis noted that cyber attacks exploit human psychology.

Receiving an email makes us feel wanted and curious to read it and open attachments. But even Word files can be infected and phishing emails are getting ever more difficult to tell apart from genuine communications.

Costis said: “The reality is that nothing happens if you don’t open an email or its attachments. At worst someone will ring you up or send another mail. When it comes to security it pays to be paranoid, not trusting.”

Whatever happens with WannaCry, it is very likely that cyber criminals will quickly create new variants that are even more effective.

Ransomware has been a major threat to businesses around the world and has earned malware gangs hundreds of millions of dollars.

Given its profitability, this threat is not going away any time soon so organisations need to be prepared.

By following good standard security practices you can stay safe from the majority of cybersecurity threats and minimise the damage if the worst does happen and attackers succeed in breaching your defences.