Learning from WannaCry Posted on June 6, 2017 by Tim Burke If your business has been taken hostage by WannaCry ransomware, get expert help now. If you’ve been spared, please pay attention anyway – because WannaCry broke new and dangerous ground. Worth noting: how WannaCry evolved By undisclosed means, the NSA learned of a security vulnerability in old Microsoft SMB file sharing software that remains in use despite being superseded long ago. To exploit this vulnerability, the NSA created EternalBlue, a self-replicating worm that scans networks and infects any systems using the old SMB software to gain control of them. When EternalBlue was stolen and released on the internet, Microsoft at last learned of the SMB security vulnerability and issued a software patch that fixed it. About nine weeks after Microsoft issued the software patch, WannaCry – which pairs EternalBlue and ransomware code – went to work. This was no zero-day attack, then. Even so, in 48 hours, 230,000 internet addresses were infected; victims included those who did not apply Microsoft’s SMB fix as well as those relying on pirated software. Those with patched and updated software remained unaffected. We got lucky this time Although the self-replicating worm that weaponized WannaCry is very sophisticated, the ransomware component is, fortunately, so poorly crafted that… The ransomware code’s kill switch (preventing it from fully deploying in ‘sandboxes’ designed to trap it) was spotted early on and foiled, thus neutralizing many attempted WannaCry infections. Unlike most ransomware payment systems, WannaCry’s was not automated, as might be expected of an attack that some estimate has impacted upwards of a million machines – and decrypting a victim’s data after paying the ransom demand is nearly impossible. Certainly, however, we cannot expect to get this lucky twice. We have been warned Among WannaCry’s many lessons, I point to three: Cybercriminals’ intent. WannaCry seems to have focused on enterprises rather than consumers. So, along with data theft, data manipulation, and extortion, add widespread business disruption to the growing list of nefarious cybercriminal motives. More where that came from. Last year, ransomware attacks quadrupled, averaging 4,000 per day, a rate some believe is accelerating. Dozens of new strains emerged, too – plenty using techniques that make ransomware code less resource-heavy, better at deception, and able to bypass firewalls and execute more easily. Nor will ransomware be all you have to worry about. It may disguise something far more damaging – say, gaining access to confidential information about an upcoming merger or altering intellectual data. Modest size makes you a target. As larger enterprises deploy stronger security measures and tighter controls, cybercriminals shift to easier targets, often mid-size and smaller firms, 50% to 80% of which have experienced a security breach, some estimate. In my next couple of posts, I’ll review what you can do to prevent ransomware from bringing down your business.