Talk about the worst day ever. On May 12, 2017, and the days immediately following, over 200,000 systems in 150 countries were affected by the WannaCry cyber attacks. A ransomware attack primarily targeting the health care industry, the evil worm also known as Wana Decryptor is bitter proof the global ransomware epidemic is no joke.
WannaCry’s impact was genuinely scary, forcing hospitals in the United Kingdom and elsewhere to divert emergency patients. While the UK National Health System was among the most affected, countless internet-connected medical and monitoring devices around the globe were rendered useless the moment their critical system files were locked. And just when we thought the worst was over, the Petya ransomware launched its assault a month later.
For many IT pros worldwide, WannaCry and Petya necessitated a leap into action. Jennings Aske, vice president and CISO at New York-Presbyterian Hospital, immediately evaluated all controls to mitigate the possibility that medical monitoring technology would be affected, for instance. And while they’ll likely fade away as scary security memories, the aftermath of the WannaCry and Petya attacks should still spark conversations among all IT pros about how bad ransomware has become and how IT security needs to adapt to lock down all risks threatening the business.
#ICYMI: The WannaCry cyber attacks
We’re not sure how you could’ve missed it, but here it goes: WannaCry is far more dangerous than other common ransomware types due to its ability to spread across an organization’s network by exploiting critical vulnerabilities in Windows computers. Microsoft patched the specific vulnerability targeted (MS17-010) in March 2017, so make sure your business’s computers are fully up to date to stay protected.
How does it work? WannaCry ransomware searches for and encrypts 176 important system files by converting the file format to .WCRY—presumably an abbreviation for WannaCry or Wana Decryptor. Users are then hit with a system message that informs them of the “oops” and asks for a ransom that amounts to $300 to be paid in bitcoins. An additional warning threatens that the price will double in three days and files will be deleted in a week’s time. While no reports have surfaced of deleted files, the rapid spread of the virus within organizational networks and around the globe is 100 percent worth sweating over.
Don’t believe it? Imagine your typical Friday. For IT, Fridays are usually relaxed—or at the very least, tolerable. But that wasn’t the case on May 12 for many health care IT pros. Symantec reports that starting at around 8:00 GMT, there was a drastic upsurge in exploit attacks. The pattern of attempts dropped slightly over the weekend, hit full force as people returned to work on Monday, May 15, and reached an all-time peak on Wednesday, May 17.
In a blog post, Microsoft Cyber Defense Operations Center General Manager Adrienne Hall wrote, “some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations.” While Microsoft’s patch had been released a few months prior, it wasn’t universally applied—and a single unpatched system could render an entire network open to WannaCry.
Petya targets Ukraine
Just as the chaos of WannaCry started to die down, Petya came swinging into life on June 27, 2017. This attack marked another massive surge of encrypted files and ransom demands via the Petya virus. Petya is technically classified as a “wiper,” meaning the ransom paid in bitcoins doesn’t actually decrypt the files. Even worse, more than 60 percent of the affected systems were in Ukraine, including electrical supplies and the country’s central bank, leading infosec expert Matthieu Suiche to speculate it was something even darker than ransomware. Suiche explained that pretending to be a ransomware while being a nation-state attack in disguise is a subtle way to control the narrative of the attack.
Between WannaCry and Petya, it’s clear that ransomware is on the rise, and you can blame it on an emerging industry known as Ransomware as a Service. Sharp, criminally minded coders have discovered how to sell their malware to “distributors,” while getting a percentage of the ransoms paid by victims. The growing financial motive to create nasty worms, like WannaCry, or operate on the distributor side of this business is impacting the volume of attacks on organizations, employees, and even health care patients around the globe.
Key findings from Kaspersky Lab’s Ransomware in 2016–2017 analysis confirms that ransomware is growing even faster than malware. There’s a trend toward targeted ransomware attacks where demands may exceed half a million dollars. Petya could also lead to a future where wiper viruses overtake ransomware’s threat to delete your files if a ransom goes unpaid.
In short, everything you learned (and teach) in IT Security 101 still rings true: Patch everything the moment you can, and don’t forget about the old system or legacy equipment in the corner that hasn’t been patched in months. Don’t underestimate your endpoints, either. A barely used commodity server or your mail room printer could be a ransomware distributor’s dream come true.
One last tip: Many experts recommend network segmentation, which isn’t a foolproof method of mitigating network-wide ransomware encryption, but it still has value, as you want to limit network connectivity as much as possible. With careful network architecture, smart configuration of technical safeguards, and adoption of self-healing technologies, you can ensure ransomware doesn’t get far.