It is May 12th, and today marks the 5th year anniversary of the WannaCry ransomware attacks. Five years on, and ransomware attacks continue to proliferate and cause widespread societal disruption and loss.
Below, VMblog is sharing insights from a few cybersecurity industry experts.
++
John Bambenek, Principal Threat Hunter at Netenrich, a
San Jose, Calif.-based digital IT and security operations company:
The one thing that sticks out with the
anniversary of WannaCry is that despite a land invasion in Ukraine by the
Russian Federation, we haven't seen a similar attack by Russia. They have a
history of destructive malware attacks and now have the geopolitical impetus to
launch them, we just haven't seen it. The era of worms is not over, certainly
while our patching significantly lags the exploit development cycle. Log4j, for
instance, shows we haven't evolved much on getting systems, especially legacy
or embedded/IoT systems, patched and hardened. Since then, ransomware has been
top-of-mind for business leaders but considering the pace of news of companies
falling victim to ransomware, I'm not sure much resilience has been increased
in the general business community.
++
Stan Black, CISO at Delinea, a
Redwood City, Calif.-based provider of privileged access management (PAM)
solutions:
The 2017 WannaCry ransomware attack sent
shockwaves globally, impacting hundreds of thousands of computers and devices
and leaving billions in damages in its wake. Little did we know then that it
was just the start of a rise in more sophisticated, widespread, and detrimental
ransomware attacks. Since then, we have seen a steady stream of high-profile
ransomware victims, along with a rise in the number of ransomware groups
offering ransomware-as-a-service (RaaS).
WannaCry taught all organizations some important
lessons. The main one is that no matter how much you spend on your defense
mechanisms and protecting your perimeter, you can be exposed from within if
your technology and systems are old, outdated, or left unpatched. Poor internal
cyber hygiene leaves the door open for malicious actors.
As we look towards the future, there are several
initiatives organizations can implement to limit their exposure to such
threats. One is segmentation, essentially putting in place technical guardrails
that separate one business function from another. This minimizes the
unchallenged propagation of malicious actors and malware. Another best practice
is to identify all critical assets which are most commonly target for attacks
and perform frequent incremental backup in the event a system recovery is
needed. Strong multi-factor authentication and privileged access controls are
also obvious components.
Every user is now a privileged user with access
to sensitive systems and data. Organizations should consider a least privilege
approach to access, limited to only what is required for the job function or
task. While it will not help increase operational readiness, organizations
should also always be prepared for the worst-case scenarios with a cyber
insurance plan in place to cover any losses.
Ransomware attacks continue to proliferate
today. While the U.S. government and other federal agencies around the world
work to implement measures to prevent ransomware attacks and prosecute those
who partake in such activities, successfully mitigating ransomware attacks
requires a host of combined initiatives. This includes implementing security
controls founded in least privilege and Zero Trust, the creation of a security
first company culture and employee training, robust threat detection and
response, collaboration between public and private sectors, and most importantly
operating on the mindset that it is not ‘if' cybercriminals will attack but
when.
++
Matthew Warner, CTO and Co-Founder at Blumira, an
Ann Arbor, Mich.-based provider of automated threat detection and response technology:
Ransomware is a major focus for organizations
today, but that wasn't always the case. The WannaCry attack was arguably the
first big uncontrolled outbreak of ransomware, and sparked real concern - as
well as media buzz - that previous attacks hadn't. WannaCry and its related
offshoots such as Petya (and NotPetya the wiper) helped
organizations to realize the business impact of ransomware.
The time period around the WannaCry attack was
tumultuous for defensive security. Most people remember that WannaCry was the
first global shot across the bow for ransomware across the public, but it was
not only exclusively driven by a leak of NSA hacking tools but also exposed a
vulnerability in Windows that existed since Windows 2000. In mid-2016 a group
calling themselves The Shadow Brokers announced that they had stolen a large
number of tools from an NSA-linked group called The Equation Group and would be
auctioning them off. Over the next six months, The Shadow Brokers collected
over 11 bitcoins and released a variety of information in tranches until April
2017, when they released a large number of new tools and exploits that
contained ETERNALBLUE, a nation-state created SMB exploit, to the internet as a
whole.
The technical impact of WannaCry has also lasted
far beyond 2017. While Microsoft had released a patch for ETERNALBLUE in March
2017, many had not patched and WannaCry utilized this exploit in May 2017 with
great success. Unpatched MS17-070 can be found in internal networks with legacy
applications today.
What WannaCry did was reinforce the need for
evaluation of what the attack surface was for organizations. WannaCry was a
reminder that exposing SMB to the internet was not necessary and helped
ETERNALBLUE spread quickly. Similarly, WannaCry exposed the need for
segmentation to prevent worms such as WannaCry from lateral moving laterally
across networks.
Most importantly the need for better IT hygiene,
processes to build up security maturity, and the desire to prevent ransomware
all require additional budget and buy-in from the organization itself. In 2017
ISC2 estimated that there would be a 1.8 million worker gap by 2022, in 2021
the actual gap reduced from 3.12 to 2.72 million people. The industry, tooling,
and need for skilled people have grown quickly across the last 5 years as it
has globalized and improved. There is forward motion on security maturity
across all sizes of organizations, but as Log4Shell proved in 2021, there is
more work to do as we all grow together.
++
Tim Wade, Deputy CTO at Vectra, a San Jose, Calif.-based AI cybersecurity company:
First, WannaCry was among the first widely
publicized recent ransomware events that alerted even non-technical,
non-practitioner stakeholders of how dangerous and damaging this threat could
become. Second, weaponization of WannaCry could be traced directly back
to leaked Nation State toolkits, demonstrating that sophisticated adversarial
tradecraft was increasingly becoming commoditized among lower-tier
operators. This was something of a wake-up call to security programs that
were interested in continuing the status-quo, and underscored the need for more
proactive security measures - the days of throwing up a firewall and calling
that a security program had come and gone.
Ransomware today is perhaps better
described as RansomOps, as its driven primarily by the modern, interactive
tactics of human operators than the programmatic, semi-guided logic of a
wormable payload like WannaCry. This is an important distinction to make
because it informs the ways enterprises must defend themselves. In the
cases of prior generations of ransomware, the time between infection and
ransomware payload delivery was short and the avenue of attack is somewhat
predictable, which meant your security controls (often an endpoint capability
of some sort) either cleaned up the mess on the spot, or you found out pretty
quickly there was a problem. Modern Ransomware gangs, however, tend to
lurk in the environment for much longer to extract as much value as they can,
before finally alerting defenders to the compromise by encrypting or destroying
data. This means dwell times of days or weeks before ransomware payloads
go down is common - which in turn means that by the time you detect a
ransomware payload, it's often far, far too late. The current state of
ransomware today, from the standpoint of a modern network defender, is one that
focuses on all of the attacker tradecraft that occurs before the
ransomware appears, ranging from the detection of command and control signals
to identification of misused and abused credentials - it's a race to find and
expel the adversary before they establish the persistence necessary to pick
apart the enterprise at their leisure.
++
Ariel Parnes, co-founder and COO, Mitiga, a cloud incident response company:
"In May 2017, the WannaCry ransomware cryptoworm attack targeted computers running Microsoft Windows, encrypting data and demanding ransom payments in Bitcoin. Leveraging the EternalBlue exploit that the National Security Agency developed for older Windows Systems, it was effective against organizations that had not implemented patches for the exploits or were still using old Windows systems that were no longer supported by Microsoft. Some estimated that the attack impacted more than 200,000 computers in at least 150 countries, with damage costs ranging from hundreds of millions to billions of dollars.
Five years later, how would the world respond to a massive attack like WannaCry? Are we more ready now to respond to a similar incident? As we know, patching vulnerabilities can be a time-consuming and complex process today too — just look at the number of organizations that have yet to patch Log4Shell four months after it was announced. Not only that but patching alone isn’t enough to stop attackers. They may have already used a vulnerability to gain access to an environment, and too few organizations conduct regular proactive threat hunting.
To ensure that organizations today are prepared for a global cryptoworm like WannaCry, they need to think beyond prevention solutions. While those solutions are a valuable and necessary part of cybersecurity today, adopting an approach that prioritizes readiness and includes automation to accelerate incident investigation and resolution. Without a change in approach to address changing capabilities and attack vectors of threat actors, we are still as vulnerable as we were five years ago."
++
Ian Farquhar, Field Chief Technology Officer at Gigamon, a leading deep observability company:
"We’re fast approaching the fifth anniversary of WannaCry, which has now become ‘Anti-Ransomware Day’. What is clear in the five years since the devastating worldwide cyberattack is that a significant cultural shift around attitudes to cybersecurity breaches is yet to occur. Instead of fostering industry wide collaboration and enabling the transparency needed to tackle the complexity of ransomware attacks, the blame culture, with constant finger pointing and criticism from the side-lines is rife and on the rise. This culture is also undoubtedly accelerating the ‘Great Resignation’, leaving organisations with even larger digital skills gaps and less resources to properly secure their infrastructure. Security professionals are at breaking-point, with 54% in the U.S. saying they currently want to quit their jobs due to overwhelming amounts of responsibilities and workforce shortages. And with ransomware groups like Lapsus$ typically preying on disgruntled and stressed employees, offering financial incentives to enable intrusion, the industry needs to change fast.
Rather than adding to the blame culture experienced most acutely by Infosec teams and their CISOs (held responsible when ransomware attacks occur), we should be calling for transparency and Zero Trust which can only be truly achieved through deep observability. In organisations, data moves far and wide and very few organisations can honestly claim that they have a complete handle on where their sensitive data is – for example, BYOD, OT, removable storage devices can all contain sensitive data which may not be protected by the typical EDR solutions. The best way to tackle ransomware and help prevent future attacks on such a large scale as WannaCry, is through deep observability which provides total insight into the ransomware groups’ actions. This same capability will allow organisations to also target the actions of non-ransomware operators too: insider threats and nation state actors.
It’s a difficult world we are facing right now but by enabling transparency we can ensure a more secure future."
##