I recently had the opportunity to participate in a panel discussion with some fellow industry thought-leaders to discuss the latest unprecedented ransomware attack. On the panel with me were Brian Minick, CEO of Morphick, Sven Krasser, Chief Scientist at CrowdStrike, and RJ Gazarek, Product Manager at Thycotic. This enormous attack afflicted over 230,000 computers in more than 150 countries in a matter of three days.
On March 14th Microsoft patched a vulnerability, originally disclosed in January, allowing remote code execution. In April, a group called the Shadow Brokers released a trove of exploits collected by the National Security Agency. The exploit was then used in the creation of WannaCry. Friday, May 12th was the initial breakout of the WannaCry ransomware worm. By Monday, May 15th, WannaCry had crippled computers worldwide primarily hitting computers running Windows 7.
How did Microsoft respond?
Microsoft offered a patch for this vulnerability two months before the WannaCry incident and encouraged organizations to apply this patch in a timely manner. They also created patches for unsupported systems. However, enterprises can take several months to several years to apply a patch due to dated embedded systems, testing, and certification requirements.
Is it over?
For most enterprises, patching is the primary defense against vulnerabilities. If nothing changes, than this is just the tip of the iceberg. Frequently, the original code writers are mimicked by copycats who grab the original code and add a new twist. We should expect to see many more similar attacks over the next few months.
How do you protect yourself in the future?
Enterprises have several unfavorable options to choose from once exposed to ransomware:
- Pay the ransom. This is not recommended because the attacker may not decrypt the files and you have identified yourself as someone who will pay ransoms.
- Do nothing and rebuild, taking a measurable loss.
- Restore from a deep, iterated, and tested backup held offline. This is the best option once you are infected.
- Hire an alternate resource for file decryption, and hope for the best. Some people have gotten lucky with decrypting the files, but you should not count on it.
However, the optimum course of action to protect yourself from data loss is to avoid the attack from the get-go. Perimeter-based security is not very effective. Next generation security solutions are more effective. Strong network and system isolation / segmentation provides strong protection and can prevent spread after an initial infection.
To listen to the full podcast click here.