Perspective: WannaCry Ransomware

May 17, 2017 - Another day, another devastating cyber incident with global reach that is leaving companies and organizations around the world reeling.  Isn’t that how the expression goes?  If not, it sure does feel like it.  This is probably due to the saturated news coverage the WannaCry ransomware variant has received (and other large attacks before it) since its debut last Friday when it forced Britain’s public health system to send patients away, froze computers at the Russian Foreign Ministry, and infected more than 250,000 computers in over 150 countries, including hundreds of large corporations.  While already one of the worst cyber-attacks in the last couple of years, the bad news is that this is probably just the beginning.  At the time of this post, it is very likely that some of the sloppier design aspects of WannaCry - such as the inexplicable “kill switch” baked into its code or its three Bitcoin wallets that allow observers to track its profitability in real-time – have already been modified to improve its lethality and stealth for use in future iterations.  It is therefore not hyperbole to say that descendants of this variant such as Uiwix may have the potential to collect more victims than its forbearer and eventually be more difficult to track.

The dynamic nature of this extortion pandemic and the constant updates flooding its technical details and attribution are well underway. Liberty Advisor Group and our Business Threat Intelligence team are actively supporting affected clients by providing real-time threat monitoring and augmenting their response capabilities through timely intelligence of the relevant indicators tied to WannaCry as well as other threats to their operations and supply chain.  During periods of rapid uncertainty such as this, business threat intelligence is well-positioned to provide clients early warning of the emerging precursors and techniques used by malicious actors and the malware they propagate.  This can result in proactive detection and mitigation before it’s too late.

Liberty Advisor Group strongly encourages organizations to follow the below industry standard recommendations to prevent pandemic ransomware threats like WannaCry and other malware campaigns from spreading:

  • Follow best practices by ensuring appropriate TCP/IP ports relevant to threats are closed to inbound traffic.  In the case of WannaCry, organizations with SMB publicly accessible via the Internet should configure their firewalls to close Ports 139 and 445.
  • Ensure use of actively supported operating systems and monitor vendor security announcements for updates.  It has been well-reported that high profile victims of WannaCry in the healthcare space had been using legacy systems running Windows XP and other sunset software.
  • Ensure organizational processes in place for effective and timely patch management for all endpoints and other critical systems throughout the network.  Microsoft released MS17-010 on 14 March 2017 yet many victimized firms had never gotten around to implementing it.
  • Deploy advanced anti-malware software and preventative controls like intrusion prevention and ensure receipt of regular malware signature updates.
  • Ensure back-up of critical data and systems and kept off-line.  Make sure disaster recovery plan in place and ensure tests conducted with regular cadence.