Freely subscribe to our NEWSLETTER

Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea

“The 2017 WannaCry ransomware attack sent shockwaves globally, impacting hundreds of thousands of computers and devices and leaving billions in damages in its wake. Little did we know then that it was just the start of a rise in more sophisticated, widespread, and detrimental ransomware attacks. Since then, we have seen a steady stream of high-profile ransomware victims, along with a rise in the number of ransomware groups offering ransomware-as-a-service (RaaS).

WannaCry taught all organizations some important lessons. The main one is that no matter how much you spend on your defense mechanisms and protecting your perimeter, you can be exposed from within if your technology and systems are old, outdated, or left unpatched. Poor internal cyber hygiene leaves the door open for malicious actors.

As we look towards the future, there are several initiatives organisations can implement to limit their exposure to such threats. One is segmentation, essentially putting in place technical guardrails that separate one business function from another. This minimizes the unchallenged propagation of malicious actors and malware. Another best practice is to identify all critical assets which are most commonly target for attacks and perform frequent incremental backup in the event a system recovery is needed. Strong multi-factor authentication and privileged access controls are also obvious components.

Every user is now a privileged user with access to sensitive systems and data. Organisations should consider a least privilege approach to access, limited to only what is required for the job function or task. While it will not help increase operational readiness, organisations should also always be prepared for the worst-case scenarios with a cyber insurance plan in place to cover any losses.

Ransomware attacks continue to proliferate today. While the U.S. government and other federal agencies around the world work to implement measures to prevent ransomware attacks and prosecute those who partake in such activities, successfully mitigating ransomware attacks requires a host of combined initiatives. This includes implementing security controls founded in least privilege and Zero Trust, the creation of a security first company culture and employee training, robust threat detection and response, collaboration between public and private sectors, and most importantly operating on the mindset that it is not ‘if’ cybercriminals will attack but when.”

Carlo Edwards, Cyber Threat Response Analyst, Integrity360
“Is WannaCry still a threat?

Yes and no. In the ever-evolving world of cyber threats, five years is a lifetime. Within weeks of the WannaCry attacks, security vendors had supplied detection and prevention methods for the eternal blue exploits and the WannaCry decryption tools were made publicly available. Patches were made available to squash the exploit, in fact, SMBv2 was already available prior to the attacks but many organisations had not made the change (even after they had been warned) and Microsoft had provided patches one month prior.

The point I am trying to make here, is that WannaCry should not have been a threat to begin with, but bad patch management could leave an organisation open to this attack. It is not uncommon for incident responders to be called in by a victim to find that they are using software versions that are years out of date.

However, as previously mentioned, five years is a lifetime, the threat landscape is completely different and it is unlikely (but not impossible) that a threat group would attempt WannaCry. It is more likely they would try something newer with fewer detection methods and more recent exploits.

So what has changed in 5 years?

WannaCry focused on a single extortion method, deploying malware resulted in encrypted files, the victim had to pay up to gain access to those files. Now we are seeing more ransomware deployed as part of a double or even triple extortion tactic. With double extortion, the threat actors will exfiltrate the victim data and then encrypt the files and folders. The victim will then be held to ransom with the threat of having their data leaked, in addition to their local files being encrypted. Triple extortion has the added threat of a Distributed Denial of Service attack if the victim delays or refuses payment.

Additionally, ransomware has become more complex. Most recently, we have seen ransomware from the BlackCat group (aka AlphV). The first ransomware group to successfully use the Rust programming language to compromise victims. The flexibility of Rust allows BlackCat’s operators to individually tailor attacks against targets. Unfortunately, there is also no known method of decryption.

It’s all doom and gloom, what can we do?

There is a lot of focus on the ransomware aspect of the attack, however this is the final stage of many. If we look at the Mitre ATT&CK framework and how WannaCry maps to it, we see there are 7 stages prior to the impact (Ransomware). Each one of these stages are also opportunities for detection/prevention. Yes, the ransomware operators attacks and extortion methods are advancing, but by doing so, they are having to access more systems and add extra steps prior to the final impact. Therefore, by focusing on these early steps, and not the ransomware, we can build defences to detect/prevent prior to any ransomware being deployed (and having that dreaded call to IR).

A firewall is great and protecting yourself from external threat is the right thing to do, but just look at the activities from the WannaCry ransomware. Most of the action is internal. So don’t forget to invest in a good EDR, NGAV, IDS/IPS devices and other internal detection/logging devices. If you catch any ransomware/malware before that impact stage, you will save yourself one heck of a headache and probably a lot of money.”