Unless you’ve been living under a rock, you know that in recent years ransomware has become one of the biggest threats to computer systems and networks, from individuals to enterprises. I wrote about the evolution of ransomware to extortionware (also called doxware) earlier this year in a blog post on this site.
But whether we’re talking about more traditional ransomware Trojans or the more sophisticated variants, the old saying holds true: an ounce of prevention is worth a pound of cure – especially since, in the case of ransomware, the “cure” may consist of paying significant amounts of cash (usually in Bitcoin) to the “hostage takers.”
Not only does it cost you/your company money, but it also results in lost revenues and lost productivity during the time your data is inaccessible, and in the case of hospitals and other healthcare facilities – a favorite target – can even put lives in danger. There can be resultant lawsuits, or at the very least damage to your organization’s reputation.
Another negative effect of paying the ransom is that every time an attacker succeeds in collecting, it provides positive reinforcement to perpetrate more and “better” attacks. And if the bad guys know that your organization was willing to pay up one time, you can bet there is a very good chance that sooner or later, they’ll be back again for more.
Makes you wanna cry
It seems as if every month brings news of a new ransomware campaign, and in May it was a cryptoware attack called WannaCry (also known as WannaCrypt in some circles) that was all over the news. It was believed to have started on a single computer in Europe, but it spread quickly and was reported to have infested close to two hundred and fifty thousand Windows computers in the first twenty-four hours after the malware appeared in the wild, earning it the title of “biggest ransomware attack in history” (thus far).
Once again, the healthcare industry was targeted. Even worse, Forbes reported that medical devices as well as hospital computers were affected this time, as some of these dedicated devices run on Windows and are connected to the hospital network.
This particular piece of malware targets a vulnerability in the Windows SMB protocol. A key factor that prevented it from spreading even faster and farther than it did was that Microsoft had already put out a critical security update to patch the hole two months earlier as part of the March 2017 Patch Tuesday updates.
But here’s the rub: many organizations and individuals hadn’t installed the update when WannaCry hit. The consequences of that delay were unpleasant at best. Those whose systems were unpatched found themselves unable to access their data. After encrypting the files on an infected system, the malware spreads to other unprotected computers on the local network and across the Internet.
Typical of ransomware, after it’s done its dirty work WannaCry displays an electronic “ransom note” that demands payment in Bitcoin to unlock the data that’s being held hostage. The longer you wait to send the money, the more the price increases, starting at $300 and doubling if not paid within three days.
Although in the past the FBI has recommended paying the ransom to recover your data, in the case of WannaCry, many security experts were taking a different stance due to the design of the malware, which they said makes it unlikely that the perpetrators would (or even could) decrypt the files even when victims paid up.
Although Windows XP had been out of support for three years, which normally means no longer getting security patches, Microsoft responded to the severity of the WannaCry attack by issuing an emergency update for XP and Server 2003.
However, studies indicated that the majority of the machines that were affected by the ransomware were running currently supported operating systems (primarily Windows 7) for which patches had previously been made available. Later reports indicate XP computers were less vulnerable than those with newer operating systems, since the malware more often failed to install and caused the system to crash.
Within four days, the spread of WannaCry had slowed down to a crawl, thanks in part to the discovery of a “kill switch” by a security researcher in England, but also because most organizations had installed the applicable patches by that time.
An ongoing problem
The WannaCry attack came on the heels of so many other recent ransomware variants, such as Cry9, PadCrypt, AngryKite, Vortex, Bart, Kripto, and many more. You’re probably familiar with the names of older variations such as CryptoLocker, zCrypt, Locky, Crysis, and CryptoWall.
We had already seen a huge increase in the number of ransomware attacks during 2016, with some reports claiming over half a billion such attacks over the course of the year, and estimates that victims paid hundreds of millions of dollars in the attempt to get their data back. But it gets worse: the first months of 2017 saw a 250% increase over the previous year, according to Newsweek.
Meanwhile, we’re now hearing that WannaCry is believed by the NSA to have been a state-sponsored attack originating from North Korea.
Even as I write this, new ransomware attacks are occurring all over the world. On June 15th, University College London reported that their servers had been hit by a “major” ransomware attack, causing some healthcare organizations in the U.K. to shut down their email services to guard against the infestation.
Ransomware authors are always coming up with new methods to propagate the malware and ensure wider spread, as well. For instance the Popcorn malware was the first to give victims a choice of paying the ransom or instead infecting other computers. How many users would be willing to pass the problem on to someone else in order to avoid shelling out hundreds or thousands of dollars?
2016 saw ransomware creators getting more innovative. Cerber is based on the concept of ransomware-as-a-service (RaaS), wherein bad guys can subscribe to distribute it and the developers get a commission from each ransom that they’re paid. Petya is a type of ransomware that goes after the system files instead of the data, and overwrites the computer’s master boot record and encrypts the master file table.
The takeaway: Patch management matters
We can expect to see more and “better” ransomware coming down the pike in the future, but the good news is that we can learn from the WannaCry attack and take measures to provide better protection for our computers and networks. The biggest lesson to come out of this attack was that applying security updates as soon as possible can go a long way toward avoiding victimization when a vulnerability like this is exploited by ransomware.
WannaCry would have fizzled quickly if all of the infected computers had been patched immediately when Microsoft released the critical security update for their SMB vulnerability weeks earlier. The irony is that most victims were not naïve home users, since most of them have automatic updating enabled and their systems are patched regularly. It was corporate networks and those of other large organizations – the ones most dependent on their data – that got hit.
Of course, corporate IT departments have good reasons for delaying patching. Because their work is mission-critical, they want to test patches in a lab environment first to ensure there will be no software conflicts with custom applications and configurations that could create downtime resulting in lost productivity.
However, IT personnel and policy-makers need to balance the risk of waiting vs. that of more timely patching, need to stay abreast of the latest developments in the malware arena so they can take action quickly when a major attack like WannaCry begins to spread, and need to have an incident response plan in cause some or all of their systems are hit by ransomware that suddenly renders important data inaccessible. Frequent off-line backups of essential data should also be part of that strategy.