Wannacry: avoiding being held to ransom
26 June 2017
In recent weeks the disruptive power of ransomware has been displayed in the media, with the prominent strain ‘Wannacrypt’ or ‘Wannacry’ making headlines. High-profile ransomware attacks are not a new thing, last year ‘Locky’, a prolific ransomware strain, targeted 400,000 systems in its first week. Some analysts have traced the source of the Wannacry attack to North Korean government-backed hacking collective, Lazarus. Both the 2014 attack on Sony Pictures and the theft of US $81 million from the Bangladesh Central Bank in 2016 have been attributed to Lazarus.
Wannacry has made headlines for its targeting of the NHS. NHS Trusts and GP surgeries across England and Scotland were brought to their knees by the ransomware worm, as well as international telecoms companies, universities, global logistics companies and well-known transport businesses. Attacks were detected across six continents within the first half day of the attack.
Wannacry exploits a backdoor in Microsoft’s SMB file sharing service. The tool used to do this, codenamed Eternalblue, is thought to have been developed by the US National Security Agency as part of its cybercrime programme, but was leaked online by a group of hackers known as the “Shadow Brokers”. The tool spreads rapidly through network shares and locks a user’s data and encrypts it with the hackers then demanding payment in Bitcoin to decrypt and restore the documents.
At the time of publication, up to 200,000 Wannacry attacks across 150 countries have been recorded. While the amounts demanded have ranged between $300 and $600, and are relatively small, the effects of the attack can be catastrophic for business. The hackers demand that if the amount is not paid within seven days, the files or documents will be deleted.
In March, Microsoft issued a patch to address this vulnerability, but not all organisations applied it. Microsoft has now issued a patch for older versions of Windows such as XP, 7 and 8, support for which had previously been discontinued. It is believed that 7% of the world’s computers still run on Windows XP and 5% of NHS computers operate using Windows XP. It was use of older, unsupported versions of software, which made the NHS a prime target.
It has been reported that in 2016, the biggest change to ransomware was the move from infecting individual systems to targeting organisations. The approach is still very opportunistic with attacks coming through websites, malware spread via emails and phishing and in Wannacry’s case, through file sharing.
What can be done to minimise risk?
As ever, every business’ biggest security vulnerability lies in its employees. It is estimated that just 17% of businesses have had their staff attend some form of cyber security training in the last year. As such, it is vital that staff are trained and aware of the threats posed by breaches of cyber security and information security. Staff should be educated in the importance of notifying relevant IT personnel of unsolicited emails and not automatically opening suspicious attachments or downloading unauthorised software (last year 66% of malware was installed via malicious email attachments).
All organisations should of course, ensure that they have in place a frequently tested capital Info-Sec policy and business continuity and disaster recovery (BC/DR) plan. This should set out a clear protocol on how to respond to threats such as a ransomware attack as well as having daily processes for data back-ups. Where this data is backed up and stored by third party suppliers or on the cloud, you should ensure that those third party suppliers have similar controls in place that are capable of being tested and audited. It will be important to understand whether the third party will be liable in the event that it is the external server or cloud that is targeted rather than your business.
Organisations should ensure that they have robust systems in place to defend against initial intrusion and take a layered approach, segmenting and separating core data from external-facing interfaces (like websites and customer portals), keeping software and systems up to date and patched and have in place sufficient anti-virus and firewall coverage.
Organisations should ensure that where they have cyber insurance in place, they are aware of what is and is not covered by the policy and seek to ensure that coverage is provided for damages related to ransomware attacks, business interruption, loss of data and even payment of ransom to hackers and cyber extortion.
Should I pay?
In some cases you may see the need to pay the ransom where no other solution has been found and upon an assessment of the considerations at play where harm linked to the loss of the files or data outweighs the financial demand. However, you should be cautious that paying the ransom may put you at risk of committing a criminal offence of funding terrorism or organised crime in certain circumstances. Payment will be contrary to UK government policy and most companies’ published statements on corporate social responsibility (CSR). Advice should be sought from law-enforcement and, in the UK, the National Cyber Crime Unit (NCCU) of the National Crime Agency.
There will of course be numerous risks linked to payment of ransom, namely, repeat attacks. Cyber criminals may be able to access the systems through the same backdoor, or through new backdoors that they have installed and especially where an organisation may have paid off previous attackers; they may be seen as an easy target.
There is also no guarantee that access to files will be restored once the ransom is paid. Kaspersky estimate that in 2016 one in five small and medium-sized businesses who paid a ransom did not receive their data back.
The majority of ransoms are demanded in Bitcoin. This is by virtue of the currency’s anonymous, irreversible nature. While the identities of recipients are anonymous, the amounts paid are not and once the funds are moved, police and anti-cybercrime agencies can begin to build a picture of the cyber attackers’ movements and patterns of work.
In short, the best way to protect your organisation from the threat of any cyber attack or security breach, be it via ransomware, DDoS, malware or the malicious acts of an insider, is to ensure that security is prioritised and receives the time and financial investment it deserves.
This means putting in place robust anti-virus systems and firewalls to prevent attacks, regularly updating and patching software and systems, limiting circulation of any sensitive or important information or documents to those who need to know, rigorously testing your back up, business continuity and data breach response plan and protocols and ensuring that third party providers have similar controls in place.
 Verizon 2017 Data Breach Investigations Reports (10th Edition)
 Verizon 2017 Data Breach Investigations Reports (10th Edition)
 Section 17 of the Terrorism Act 2000; Section 42 of the Counter-Terrorism and Security Act 2015