Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Steve McGregory, Senior Director, Application & Threat Intelligence at IXIA comment WannaCrypt

May 2017 by Steve McGregory, Senior Director, Application

1. How did the attack spread so quickly — I think it says about 200,000 victims affected in 150 countries since Friday.

The attack spread quickly because once a single machine is infected in a network the infected machine spreads by looking for adjacent Windows systems that are vulnerable to the Server Message Block (SMB) vulnerability (MS17-010). This vulnerability was only fixed by Microsoft this March 2017 and many systems remain unpatched. Since this vulnerability is fairly new (released by ShadowBrokers on April 14th, 2017) older systems and systems not receiving regular security patches were exploited and infected. This has been especially painful for organisations using older versions of Windows such as Windows XP. An example of this is how the UK National Health Service, who is reported to have 90% of their systems still running Windows XP, see such a painful disruption to their operations.

2. What kind of potential costs are businesses and agencies affected looking at? Both monetary (if any estimates are available) and non-monetary.

If the organisation being effected has a good data backup policy, then the cost will be measured by the hours spent by their IT departments reformatting systems and by lost productivity by employees waiting for their systems to be restored. Depending on the nature of the business, this downtime could be extremely costly, and, in some cases, dangerous, as we saw with the UK National Health Services being forced to shuffle patients around as a result of the attack.
However, if critical data, that was not backed up, exclusively resided on those systems the costs could be considerable, both monetarily and to their reputation. Loss of customer data, financial record, or any other irreplaceable data could render an organisation unable to transact business and potentially leave permanent gaps in records that would not survive an audit.

3. Is this the largest cyber-attack ever carried out?

This is hardly the largest or most costly attack ever perpetrated. Since the ransom is being paid in bitcoins, anyone can see the transaction record to the known bitcoin wallets of the perpetrators. Thus so far the total extracted sum is approximately $30,000.00 USD. Granted this does not illustrate the cost of the disruption, however, other attacks have resulted in damage in the Billions of dollars such as the 2000 DDoS on Amazon, eBay, CNN, Yahoo, and many other sites my Michal Calce (aka MafiaBoy). Or the Miami based hacker, Albert Gonzalez, who successfully stole 10’s of millions of credit cards. Or the Billion Yahoo accounts stolen. One of the most notorious hacks was of the Democratic National Party last year where the implications may have cost Hillary Clinton the US Presidency. That being said, we are still in the early stages of seeing the fallout of this event. In a months’ time, the damage very well could eclipse the aforementioned events.

4. Any other points to add?

This attack is 100% predicated on Microsoft Windows users opening up malicious attachments which can be largely eliminated by educating employees on the dangers of phishing. The mechanism where Wana propagates after infection, Microsoft Server Message Blocks (SMBv1) vulnerability described in Microsoft security update MS17-010, can be closed by implementing the security update. It is highly uncommon for SMB communication to be used across the public internet space as it is largely for file sharing within a subnet. As a result, the only real manner in which Wana, in all of its variants, to enter a network is by opening malicious attachments. Lastly, damage by ransomware can absolutely be minimized by having a secure and diligent backup system for all critical data in place. An organisation should buttress itself against catastrophic data loss, from Ransomware or any other potential avenue, in order to ensure the integrity of its data.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts