WannaCrypt, WannaCry, WannaDie?

May 12th 2017 saw the largest outbreak of ransomware to date with a massive impact to computer systems worldwide.
Although somebody, almost by mistake, found a way to temporarily hold the spread of this virus, history has shown that copycat actions based on the same code will follow sooner rather then later.
Over the weekend already one more strain of this virus has been spotted in the wild and this one doesn’t respond to the same “kill-switch” that was deployed against the original version.
How did we come this far?

Stash of “cyber” weapons

It all starts with the National Security Agency (NSA) in America who apparently lost control of an entire set of hacking tools, 0-day vulnerabilities and accompanying exploits.
The group calling themselves ShadowBrokers leaked the stuff online last month and from that moment onwards the time bomb was ticking till the first major event and probably worldwide attack which made use of this leaked pile of weapons.
Apparently we didn’t have to wait long and within roughly 4 to 5 weeks we are witness again to a large threat to the global Internet and as specially companies that have lax or no security whatsoever.
The last wave of attacks was September 2016 when Internet of Things (Internet of Threats) IP camera’s were used for a series of massive DDoS (distributed denial of service) attacks to various websites like Krebs on Security and the DNS provider Dyn.
The only major difference: this time round the attack is far more destructive in nature.

Security awareness vs. securing your network


This strain of ransomware is pretty unique in that it is propagating itself not via the default method used being phishing mails with malicious attachments which screws up mostly one user’s documents, at least all data that user has write rights to.
This form is exclusively spreading through a worm mechanism making use of vulnerabilities in Windows systems that were not yet patched. Either because the available patches were not applied yet or they simply weren’t available at all because the system was running unsupported and outdated windows versions like Windows XP and Server 2003. The latter of which have available patches as of today as Microsoft is trying to prevent reputation damage.

As most organisations have a flat network topology without segregation of systems in their own little network environments, the worm can easily spread through your entire company’s network and infect every running Windows system it can find.
Three prime examples of this are the computer systems of the British NHS, payment terminals for Q-Park as well as the timetable displays for Deutsche Bahn who had to resort to chalkboards to write the departure times and platforms on as was shown on the BBC this morning.
As the worm not only has a ransomware part but is also including a backdoor that calls back to the command and control system of the miscreants over the Tor network, companies that are infected are not only potentially lost their data but need to be aware of the fact that the miscreants may have a copy of that data as well which could have major implications under regimes of mandatory breach notifications and as specially when personal identifiable information (privacy data) is concerned.

What do do next?

That greatly depends on one thing alone, were you hit or not?
I suspect that if you were hit, it is scrambling for those backups which you may or may not have.
If you weren’t hit, your management will breath a sigh of relieve and continue as they have always done, like nothing happened.
But what’s really at stake here for both camps of the hit and not-yet hit organisations?

“I’ve been hit, what now?”

This again really boils down to one important choice, did you have backups or not?

“I have backups”

Okay, well done. Your security may still need improvements as well as a good implementation of patch management procedures including the all important “we need to do this security patch now!” policy, procedure and actual implementation.
But more on that later.

Your first order of business is to make sure no further infections can take place and the worm can’t spread around your network to restored systems as well.
So your first task is to take down the entire network, outgoing connections and go by all systems one-by-one to see if they are infected or not.

If you find infected systems, fully clean them and rebuild the entire installation before putting back your backups.
And let’s hope you have done restore tests of those backups too.

When you’re done and back up and running again, please look at this piece of final advice.

“I don’t have backups”

Well I could make it less painful for you, but that’s only prolonging the inevitable.
Simply put: you are screwed big time!

Effectively you only have two equally painful choices: lose all your data and hope it doesn’t destroy your company or pay up and hope the miscreants are nice enough to actually provide you the keys to your data.
If they do then unlock your data, create immediate backups and continue with rebuilding and securing your entire network.
Not simply unlock your data and continue if nothing happened. Remember there was a backdoor in that malware as well which is probably still there you know.

When you’re done and back up and running again, please look at this piece of final advice.

“I’ve been spared”

Congratulations, either you have patched all your systems, don’t have all those Windows ports accessible from the Internet and have proper network segregation in place or you were just dumb lucky.
For all companies and organisations though, I have this final advice.

What to do next?

If your company or organisation really has their security setup correctly and take due diligence seriously enough, just continue to do what you always have done. But don’t forget to improve on your policies, procedures, standards and guidelines to further enhance your security posture.
This attack will be followed by others, similar or entirely different in nature, so your vigilance is required always and constantly.

If you have managed to restore your data, either via backup or buying the key, or you were just dumb lucky enough to escape the malware this time, please take note of the following:
you really need to do something about your security posture, attack surface and patch management as well as security awareness training for your employees, as specially senior management.

Yes this is going to cost money, time and a lot of effort to set this up right. If you were hit you may finally see the necessity of good information security practices.
If you weren’t hit, just watch your senior management play the ostrich very very well. Until the next strain of ransomware comes along and they ask you why this could happen as they were spared the last time back in May 2017. Unfortunately that’s usually what happens, just ask somebody from a company that was hit this time round for confirmation.

The sorry state of Information Security

For years and years I have been warning organisations, ones I worked for in various capacities, that if they would not take information security seriously enough one day they would think back to all my advices and hit there heads in disbelieve why they hadn’t followed them back than.
Unfortunately, as massive as this outbreak may seem, this will not yet be that time. Although the media coverage will let you believe otherwise with a lot of so-called experts saying that the worst is over because now everybody is aware of what’s happening (BBC World News 08:00AM GMT Monday May 15th 2017). I respectfully have to disagree.
This isn’t over yet, far from it.

This was one patch not applied and a series of ports open for attack. If you were not hit you can pretty easily follow all given advice by Europol or other reputable sources to mitigate any risks stemming from this particular attack.
The problem is that this will not be the last threat your organisation will face, I can place a bet on that which I will certainly win.

The fact that we have too many systems connected directly to the Internet, all open for attack, spend too little money on really securing those systems including demanding software vendors finally start taking secure coding seriously too and not creating a true security culture are all symptoms of why it went so horribly wrong this last weekend.
And yes the senior management ostrich security policy doesn’t help either.

How many more of these massive attacks on our modern day society which is fully depending on all these interconnected systems does it really take for people to wake up and do what’s right?
Instead of simply doing it because compliancy and regulations demand it, which most of the times leads to halfhearted measures and ineffective security?

Why do you lock your physical doors in your office, install alarm systems, camera’s and hire security guards? Precisely to safeguard your office and equipment.
Then why are companies still not doing this at the largest security perimeter available to miscreants in equal measure?

If your company or organisation is willing to improve their security posture and is really interested to do what’s right to do for information security and privacy protection, please don’t hesitate to contact me immediately.

ON a site note: Microsoft is comparing the theft of a cyber weapon from the NSA to the US military losing a Tomahawk cruise missile. Whilst the analogy seems correct as probably the NSA had meant their weapon to be used against specific targets, Microsoft clearly doesn’t understand that the way it has been used now in last weekends’ attack is everything but resembling a targeted attack, far from it I would say.
To stay with the analogy chosen, I would classify this as a cluster bomb as it is untargeted, spread over a wide area and the person using the weapon actually doesn’t care who hits it.
The only difference is that companies could have protected themselves as opposed to people on the ground who can’t do anything against a cluster bomb being dropped on their heads.