It’s around a year since the notorious ransomware campaign nicknamed WannaCry shook the world. Over that time, organisations have had plenty of time to work out what went wrong and plot a course to a more resilient future. But have lessons even been learned? After all, corporate victims are still emerging on a pretty regular basis. According to some, the ransomware threat itself is slowly tapering off. But if that’s true, it’s no cause for celebration. It means the black hats have merely found another way to make money, and if they have, attacks will continue to arrive via email.
A $4 billion problem
WannaCry was such a good cautionary tale an information security professional couldn’t have written it better. Exploits stolen from the NSA and leaked by suspected Kremlin hackers were picked up by North Korean state-sponsored hackers and used to spread ransomware in a worm-like campaign designed presumably to harvest much-needed funds for the Kim Jong-un regime. The plan failed largely thanks to the discovery of a “kill switch”, but not before hundreds of thousands of computers around the world were infected. Victim organisations that should have known better included the NHS, Deutsche Bahn, and Telefonica. One risk modeling firm claimed the losses could reach $4bn.
One of the exploits in question worked to target unpatched Microsoft Windows SMB servers. Security experts have been urging IT managers to patch promptly for years, and here was a vulnerability for which an update was available in March still catching out organisations. The result in the UK was a “category 2” (C2) attack, the most serious to date to hit the country and one which required a co-ordinated cross-governmental response. C2 attacks differ from C1 threats in that there’s no risk to life, but it’s easy to see how future attacks could be more serious still. After all, the NHS was widely affected in a blitz which led to the cancellation of an estimated 19,000 appointments and operations.
Crucially, in March and April 2017, NHS Digital had issued critical alerts warning NHS organisations to patch their systems. Their failure to do so promptly was replicated across the globe.
Are things changing?
Now the dust has settled, can we say with any confidence that organisations have learned their lessons? The NHS has been given more funding, so something positive has come from the incident, but will need to spend it wisely. But since May 2018, organisations have continued to be caught out by ransomware. In fact, Boeing computers are said to have become infected with WannaCry in March 2018: another reminder that patching remains patchy.
According to one estimate, the number of exposed SMB servers stands at around 500,000 globally — around the same as it was in June 2017. This is frustrating news. Patching remains a fundamental best practice step which could at one stroke mitigate the majority of threats facing organisations. In fact, the overall advice on how to tackle ransomware remains pretty basic:
- Regular patching of key systems
- Backing-up of mission-critical data, according to the 3-2-1 rule
- AV from a trusted vendor
- Anti-phishing tools
- Staff training to prevent employees from clicking through in phishing emails
There is more, but these basics should see most organisations stand a good chance of staying resilient. Yet nearly a third (30%) of EMEA IT security practitioners Barracuda Networks spoke to recently said they had fallen victim to a ransomware attack, with 75% claiming the attack originated via email. On a positive note, 81% of those that were hit claimed not to have paid the ransom.
Perhaps the most disquieting news is not that organisations are still not learning the lessons of WannaCry, but that the hacking community is refocusing its efforts. A recent FBI report claimed that it received just 1,783 ransomware reports last year, linked to losses of only $2.3m. This could be because of a fall in reports, but more likely is indicative of a rise in other attack methodologies which have a better ROI.
That same FBI report claimed Business Email Compromise (BEC) was the highest money-maker for hackers last year, netting over $676m. Other reports have claimed that crypto-jacking malware is increasingly being spread by attackers looking to harvest corporate computing power to make money. One estimate claimed botnet herders could make as much as $100m per year.
It all adds up to one thing: a continued focus on email-borne threats, usually in the form of attacks employing phishing techniques. It’s the perfect strategy for cyber-criminals as it targets in what many cases is your weakest link: your staff. That’s why anti-phishing tools and improved staff training initiatives are another essential first step towards combatting the online threat. By all means look at advanced AI-powered technologies, web firewalls and the like, but get the basics right first.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.