Ransomware Retrospective: A look at WannaCry and its impact on business data

The WannaCry ransomware attack made international headlines earlier this year when businesses around the world, including several hospitals in the UK and Russia’s interior ministry, lost access to their computers and data. Unlike some malware, WannaCry had a specific objective: to hit as many high-profile targets in as little time as possible in order to maximise the impact – and the spectacle – generated by the attack.

But the most alarming feature of the WannaCry attack wasn’t necessarily the choice of targets – it was the fact that it could be spread by sending a specific packet to a targeted SMBv1 server, effectively locking down an entire network with a single packet. In this blog, we’ll look at how that happened, and what we can learn about WannaCry’s impact on business data.

A One-Two Punch

WannaCry was something of a one-two punch: the ransomware element was essentially the standard nasty stuff: infected machines were locked down and their files encrypted, with a demand for $300 worth of Bitcoin in exchange for decrypting them. In fact, while those responsible for the attack reportedly cleared half a million US dollars in a matter of days, there’s no evidence that anyone who paid up actually had their files restored. What made WannaCry so powerful was the way it spread. It exploited a vulnerability in the Server Message Block (SMB) protocol present in virtually every edition of Windows before Windows 10, meaning that once it got on a computer, it could spread across every vulnerable system within a network within moments. As a result, it was able to hit an estimated 230,000 computers around the world within a day.

It was particularly devastating to organisations that failed to keep computers patched, often because of the perceived logistical headache of applying updates without disrupting ongoing work. Microsoft was, in fact, aware of this vulnerability, and had deployed a patch on March 14, 2017 which was sadly too late to prevent the spread of WannaCry through networks around the world. If nothing else, WannaCry demonstrated that neglecting to keep systems up-to-date for fear of disruption to service delivery can result in far greater problems for your business.

The Threat Widens

WannaCry marked a major change in the ransomware threat. In the past, it’s been highly targeted, aimed at organisations with big budgets and where losing access to data simply isn’t an option. Now that criminals are combining blackmail tactics with security exploits to spread ransomware far and wide, they can use more of a scattergun approach, infecting as many people as possible in the hope that somebody pays up.

Lessons To Learn

Unlike simpler cybercrimes, a WannaCry attack needs to be defended against in three different ways:

1) Minimise the threat of ransomware attacks in the first place. This requires both technical measures such as security scanning for incoming files and attachments, files on USB sticks, and even website visits. It also requires procedural measures such as educating staff about the risks and enforcing policies on smart and safe device use.

2) Contain the threat from spreading across a network. This means getting to grips with the structure of your network and the ways different computers share data across it. It also means making sure all your software – including your Operating System – is patched to the latest version to avoid security flaws.

3) Mitigate the damage if the worst happens. Make sure all data is backed up efficiently and comprehensively so that you can easily restore it when needed. It also means having a detailed recovery plan of how you would cope should systems become temporarily unusable.

4) Install anti-ransomware software. PowerNET recommends installing anti ransomware software like Sophos Intercept X. Sophos Intercept X features CryptoGuard, which prevents the malicious and spontaneous encryption of data by ransomware even trusted files or processes that have been hijacked. Once ransomware gets intercepted, CryptoGuard reverts your files back to their safe states.

Your Next Step

Given both the scale and the scope of preparing for ransomware attacks, it can be a daunting prospect to do everything in-house. Consider getting a fresh set of eyes to look at the problem through an external review. Powernet offers a commitment-free review of your current IT environment and what you can do to help it support your business and your IT security better. Find out more at the link below.