Anti-Ransomware Awareness Day: Re-examining WannaCry 5 years on
On May 12th, 2017, a group of hackers launched the now infamous WannaCry ransomware attack infecting over 200,000 computers across 150 countries. Considered one of the most damaging cyber attacks to date, WannaCry is arguably the one that has had the most profound impact on the cybersecurity world by bringing the role of cyber resilience and accountability to the forefront of people’s minds.
The disruption and fallout of WannaCry also highlighted the seriousness of the consequences for getting it wrong, particularly where it poses a risk to life in the real world. Following the attack, heightened scrutiny and new data protection regulations, meant if negligence can be shown, companies could face hefty GDPR fines (4% of global revenue) or legal action.
While cyber extortion is the most typical goal of ransomware groups, in the case of WannaCry the mission was to cause maximum destruction and damage. The self-propagating malware, which has been attributed to North Korean computer programmers, rapidly spread across the globe infecting and destroying data on hundreds of thousands of computers.
In the UK, more than 80 hospital trusts and 8% of GP practises were majorly disrupted by the attack, which led to an estimated 19,000 appointments being cancelled across a one-week period. The attack caused the NHS an estimated total of £92 million through services lost during the attack and IT costs in the aftermath.
The attack was eventually stopped by a 22-year-old hacker, Marcus Hutchins, who discovered and triggered a kill switch that neutralised the global threat. However, this wasn’t the end of the line for WannaCry and the malware remains active to this day.
While the WannaCry attack might seem like ‘old news’, there has been a resurgence of the ransomware. From January 2021 to March 2021 WannaCry ransomware attack rose 53%. In this new variant the previously identified kill switch has been removed. Organisations that haven’t patched the EternalBlue issue are still at risk of being attacked. So, what did we learn from WannaCry?
5 Lessons learned from WannaCry
1 – Keep software updated
Keeping systems up to date should be a priority. Following the attack, it was revealed that hundreds of thousands of computers had been running Windows XP unpatched, it was this safety misstep that allowed WannaCry to infect systems. Organisations must ensure effective management of their technology infrastructure, systems and services, including the adequate patching of devices and systems, ensure sufficient network security and replace unsupported software. Organisations cannot be complacent when it comes to cybersecurity.
2 – Adopt a proactive mind-set
Patching alone isn’t enough to stop malicious and increasingly sophisticated threat actors. Cyber criminals are using advanced techniques to hide from threat hunters and defenders so that they can exploit emerging vulnerabilities for which patches don’t yet exist. Organisations need to adopt a proactive approach to cybersecurity, or cyber resilience, to ensure that essential functions and operations can continue even a cyber criminal has penetrated defences and compromised digital assets.
3 – Utilise better threat detection
When ransomware worms its way past your defences damage is measured by the time taken to detect, investigate, contain and resolve the threat. The longer your exposure, the greater the incident impact. It’s more efficient to stop a ransomware attack before it has a chance to do any damage. Having 24×7 managed detection and response can help reduce the time taken to detect and deal with threats by up to 80% over traditional MSSP. In addition, organisations can augment expert monitoring with an automated threat detection system.
4 – Regularly back up data
To prevent ransomware disrupting business operations, it’s vital that organisations regularly back up company data. If a cyber incident occurs, the organisation will be able to quickly fall back on a recent backup version. Although this won’t protect you from attack, it will help minimise the fallout and lessen the impact. It also means the organisation won’t have to pay the ransom to retrieve their data and can avoid the task of restoring systems back to a previous version.
5 – Improve employee cyber awareness
Often, ransomware attacks are the result of poor employee cyber awareness or bad habits. For example, employees may use easily guessable passwords or the same password for multiple accounts. Organisations can mitigate this risk by providing employee training and running regular attack simulations/ digital health check-ups to see if their employees are practicing good cyber hygiene. Employees need to know what they can take to reduce the likelihood of a ransomware attack succeeding.
Of course, accidents can and do happen, but this risk can be reduced through ongoing training and measures in place to prevent slip ups e.g. multi-factor authentication, the principle of least privilege, the scanning and monitoring of emails and files for suspicious activity.