For the second time in as many months, a piece of ransomware software has crippled the systems of dozens of companies worldwide, proving the importance of having an effective Incident Response Plan (IRP) and consistent backup schemes.
On the 12 May 2017, the WannaCry ransomware infection compromised over 200,000 systems in 150 countries worldwide, much of which occurred within 24 hours of the initial reported infection. The UK’s NHS was severely affected by this outbreak, as were FedEx, Telefónica, and Russia’s Interior Ministry. While the costs related to a cyberattack are difficult to estimate, some experts have suggested the economic impact of WannaCry could exceed U.S.$4 billion.
Most malware infections occur via a drive-by web download or a phishing e-mail. Instead, WannaCry uses an exploit developed by the U.S. National Security Agency (called EternalBlue) which takes advantage of a flaw in the Server Message Block (SMB) protocol in systems that expose the service to the Internet; it then uses the identical exploit to spread to other systems on the same internal network. This makes infection autonomous: no user interaction is required for the malware to infect a system. After the virus infects a system, it proceeds to encrypt files and then display a message demanding a ransom of approximately U.S.$300 in Bitcoin if paid within three days, or twice that amount within a week, after which the files are irretrievable.
Despite a lack of confidence that files would indeed be recoverable if payment was made, the authors profited well from this endeavor: according to one researcher, over U.S.$134,000 were paid to the authors to unlock files, indicating that many victims did not have appropriate recovery plans in place to mitigate the impact of this ransomware. The advice that followed this attack was similar to previous breaches and to ensure that:
- Systems receive all security patches wherever possible, or are otherwise quarantined to prevent the spread of infection
- Your organization has an effective, tested Incident Response Plan in place to respond to cyberattacks
- All critical files are regularly backed up so that they can be recovered in the case of unauthorized alteration or destruction
Unfortunately, IT departments in organizations of all sizes need time to adapt and change, and so less than 8 weeks later, on the 27 June 2017, another global cyberattack has occurred compromising at least 12,000 systems internationally. Dubbed widely by researchers and news outlets as “NotPetya”, “PetyaWrap” and “exPetr”, this attack uses the same “EternalBlue” compromise that WannaCry used to spread, indicating that even after patches were made available to mitigate the attack vector, some companies have not yet been able to implement them in the wake of May’s attack.
What puzzles many researchers about this new piece of malware is that it does not appear to have been developed for financial gain: the Bitcoin address for ransom payments has been shut down, and there is little indication that the authors could provide a recovery key, even if a ransom payment was made. This indicates that it may be part of a new generation of cyberterrorism efforts designed to cripple global organizations.
Regardless of the intentions of this and inevitable future cyberattacks, it is critical that organizations are prepared to deal with these threats and plan for them, to ensure that your organization is not crippled by these malicious actors.
