What Can We Learn from a Summer of Ransomware?

Print Friendly, PDF & Email

Ransomware has been around now for almost a decade. But incidents in May and June took the threat to a whole new level as the worm-like WannaCry and NotPetya left a global trail of chaos and destruction behind them. Organisations big and small were hit; many are still recovering and the final financial fallout could be massive.

As any good IT security manager will tell you, it’s important to view such incidents constructively, so that if lightning does strike twice you’ll be properly protected the second time around. So what lessons can we learn from a summer of ransomware?

Two game-changers

WannaCry and NotPetya share some characteristics, but it’s important to draw distinctions between the two. The former landed on 12 May and was reported to have infected over 200,000 machines in over 150 countries worldwide in little more than a day. Why was it so rampant? Because it spread worm-like by searching for vulnerable systems and then exploiting the little-known Windows Server Message Block (SMB) protocol; a bug that Microsoft issued a fix for two months previously. The NSA should accept much of the blame as its own leaked EternalBlue and DoublePulsar threats were a key component of WannaCry. If not for a kill switch domain discovered and registered by researcher MalwareTech, infection rates could have soared. Some researchers have linked the threat to North Korea.

NotPetya infected machines via the same SMB exploit, EternalBlue, but also spread via a variety of mechanisms including legitimate admin utilities PsExec and WMIC. However, the threat was different from WannaCry in that the ransomware itself is believed to have been a smokescreen for an attempt to disrupt and destabilise Ukrainian businesses ahead of the country’s Constitution Day (28 June). Researchers have claimed that the malicious code it employs makes victim machines completely unrecoverable, plus there’s no way the attacker can provide a decryption key. Some have linked the group behind it to Kremlin operatives, and say the reason it spread globally is via the VPNs of multinationals in Ukraine.

Key takeaways

So, as the dust settles on both incidents, what can we learn?

Patch, Patch, Patch: The threats took advantage of an already fixed critical vulnerability in Windows, which many organisations still hadn’t patched. In fact, just last week a WannaCry variant is thought to have infected unpatched LG self-service kiosks in South Korea. That’s proof that even if a threat has disappeared from the headlines, it doesn’t mean it has stopped propagating.

Ransomware can cost a lot: Organisations are always urged not to pay the ransom if hit by this kind of malware, partly because there’s no guarantee of getting a working decryption key in return. However, even without factoring in the cost of the ransom, infected organisations will suffer serious disruption and service outages which could cost their reputation and finances dear.

Danish shipper Maersk has revealed NotPetya could end up costing the logistics giant up to $300m, while German drug-maker Merck claimed at the start of August that some manufacturing operations were still offline. UK-based Nurofen and Durex manufacturer Reckitt Benckiser said in a statement in July that it now expects “like-for-like net revenue growth” for the year to be 2% rather than the originally predicted 3%, possibly resulting in a £100m hit.

Even the biggest names can suffer: If big-name multinationals like the above firms can be caught out, then SMBs are certainly at risk from ransomware attacks and should invest now to mitigate the associated risks.

Collateral damage is an issue: These threats showed us that ransomware can be rocket-fuelled with worm-like capabilities to help it spread. Even if your organisation was not earmarked for targeting it could be caught in a future outbreak, as the NHS found to its cost during WannaCry.

Fines are on the way: Things could get even more expensive for organisations which don’t fortify their systems adequately against ransomware infection. Such an attack would be considered a data breach under the GDPR if you can’t restore the data, while it would also contravene the new NIS Directive for critical infrastructure providers. Both will carry maximum fines for non-compliance of £17m or 4% of global annual turnover, whichever is higher.

Stay secure

There’s no silver bullet when it comes to ransomware protection. But given the multiplicity of ways it could enter the organisation, consider a multilayered approach to threat defence, combining perimeter controls such as next-generation firewalls and email gateway security. Behavioural analysis and sandboxing are important to spot the more advanced threats.

Network segmentation is also key to halting the spread of ransomware, if it manages to enter the organisation, while end-user education can stop employees clicking on tempting looking links or opening ransomware-laden attachments in phishing emails. Combine this with effective, automated patch management and scan your apps regularly for any vulnerabilities. Finally, back-up is essential: ensure you have at least one copy backed-up offline so it’s not in danger of also being infected.

With the right strategy and tools at your disposal, it’s possible to avoid most ransomware without spending a fortune.

Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.

Follow Phil on Twitter here and connect with him on LinkedIn here.

Scroll to top