This time last year IT teams across the globe were working to mitigate the damage of the WannaCry ransomware attack by deploying patches, disabling SMBv1 and recovering files. On this anniversary, it is worth a reminder of the damage caused and how to avoid ransomware risks today.
What was the WannaCry Ransomware?
In May 2017, a new strain of the Ransom.CryptXXX (WannaCry) ransomware began spreading globally, affecting a large number of organizations. WannaCry encrypted data files and asked users to pay a ransom in bitcoins. The ransom note indicated that the payment amount would be doubled after three days. If payment was not made after seven days, the encrypted files would be deleted.
It was later learned that the bitcoin accounts were abandoned, and there never was an automated decryption process, so paying the ransom was pointless. Recovery from backups was, and typically is with ransomware, the best course of action.
How Did WannaCry Spread?
WannaCry had the ability to spread itself within corporate networks, without user interaction, by exploiting a known vulnerability at the time in Microsoft Windows. Computers which did not have the latest Windows security updates applied were at risk of infection.
According to Microsoft, “A month prior, on March 14 , Microsoft had released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.”
How was WannaCry Stopped?
At the time, applying the most recent Microsoft patches to environments helped protect computers from WannaCry infections. Another immediate remediation plan was to disable the specific system protocol known as SMBv1 to mitigate the risk of infection in relation to WannaCry.
Lessons Learned from WannaCry?
Here are a few we can share:
Backups Enable Ransomware Recovery: In ransomware situations, backups (Eze Vault) are the only way to recover files from an attack. With WannaCry, there was no automated decryption process, so even if the ransom was paid files are not returned/decrypted.
Firms must conduct regular backups and test them to ensure a seamless and proper restore is possible.
Patch + System Updates are Critical: As Brad Smith, president of Microsoft, wrote, “As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past.”
Firms should have a plan or patch management program to help ensure patches are applied in a timely manner.
Old Technology Can Be Dangerous: Helping WannaCry spread was outdated technology, including computers running the 16-year old operating system Windows XP (end of support: April 2014). As Smith noted, “It's worth remembering that Windows XP not only came out six years before first iPhone. It came out two months before the very first iPod.”
As WannaCry showed us, the risk of using legacy technology largely outweighs the benefits. By not upgrading, firms are potentially risking everything. As patches and bug fixes are no longer being provided, hackers have an unguarded entrance to access a firm’s environment. This not only increases the firm’s odds of being hacked, but also raises the gravity of ensuing damages should an incident occur.