There are a lot of online articles that talk about the WannaCry ransomware and I have listed half a dozen reference links at the end of this article for your further reading pleasure. While the news reports says 200,000 computers are affected, the number of connected computers in today’s world numbers about more 10,000 times that (Forrester Research predicts number of PC numbers 2 billion by 2016).
A virulent Trojan horse was released on 12th May 2017 via a phishing email and a hospital employee opens it on his/her computer and clicked to open the attachment zip file that launches the attack. The WannaCry Trojan horse spreads itself via further emails to contacts on that particular person’s contact list which spreads within and also to persons external to his/her hospital network. What is more potent is that the WannaCry Trojan horse also spread within the network (bounded by boundary gateways like firewalls and content filters that blocks Microsoft Server Messaging Block – SMB from going across the network boundary) to other Microsoft OS based devices and servers via SMB vulnerabilities AND files shared through file-sharing applications such as DropBox and other cloud based drive that allows Windows-Explorer upload. The WannaCry Trojan horse uses known exploits as EternalBlue and DoublePulsar of which patches were available on 14th March 2017.
The extent of the spread is widely reports, UK NIH hospitals are clustered together organizationally and presumably also in terms of its network to share IT resources such as servers. See the reference links for more details.
What did the ransomware writers did right?
- Phishing email
- Exploiting near zero-day exploits
- Exploit File Sharing trend
- Locking up important looking documents that enterprise may not have up-to-date backup copy
What perpetuated the spread?
- Human (judgement) error:
- Staff with no security training or awareness
- A compelling phishing email
- A connected enterprise that has limited internal security screening/gateway devices
- Manually stopping a security patch cycle
- Absence of a file modification alert tool that sends out alarm when files are inadvertently modified (by Trojan horse) for critical IT servers
- Security Policy and implementation – there should be restrictions to use of file sharing applications within enterprises.
- Resource issue: continued use of outdated/unsupported OS
- Lag in security patching either through policy or dictated by production cycle (e.g. quarterly instead of monthly security patch following Microsoft recommendations)
- Lack of an enterprise security monitoring capability like a 24×7 security operations center that can quarantine and block the spread. A under-staffed ICT security team or lesser focus on ICT security
There are online posts that discussed what the ransomware writers did wrong. See reference link 6.
I will just focus on those contributors that I classify as under the human error category.
A phishing email can be very compellingly written, but one that has a file attachment should be judged with suspicion especially from an external source. All enterprise should indoctrinate their staff on filtering such email, and should enable their email software with mail phishing filtering capability automatically turned on. It is made worse most of the time with those staff with computer access thinking that what they do will not affect the enterprise’s ICT security stance.
An enterprise network should be segregated in terms of layers of trust, with the most important servers protected by a ring of security gateway devices such as firewalls supplemented by intrusion-detection-devices, and any protocols for server-to-server communications such as SMB should only be allowed on a case by case basis. The lack of such layer of trust and an open-network environment is what allows the propagation to spread so quickly in those reported cases than enterprise that does any of the following measures:
- Train and regular reminded of staff to be wary of phishing emails
- Quarantine email from external source with file attachment
- Limit incoming and outgoing file sharing application and the protocols associated with these applications
- Create layers of trust for enterprise IT resources. For example, web based application access to critical servers only and through secured and patched application servers that are protected by firewalls and automated security monitoring tools
- Automated security patching process
Any of the above would have and had been proven to stop the spread of Trojan horse like WannaCry.
James Scott, from the Washington DC-based Institute of Critical Infrastructure Technology said this “you’re only as strong as your weakest link within your organisation from a cyber-perspective”
Don’t let the weakest link be worse than a link, i.e. totally unprepared.
Oh and by the way, don’t pay the ransom if your computer had been affected. Built the computer from last good backup, apply security patch, and move on from there.