Cybersecurity Update: Reflecting on the WannaCry Ransomware Attack
A global ransomware attack crippled operations for thousands of organizations earlier this month, and today the cybersecurity world is still assessing the damage. As IT and security teams around the world struggle to regain control of company data, cyber forensic researchers are attempting to understand who perpetrated the historic hack. All the while, executive leaders are left to mediate the reputational damage and begin preparing for the next cyber incident that could target their organizations.
On Friday, May 12th, a diverse group of global organizations joined an unfortunate club with ever-expanding membership: they were the most recent victims of a cyberattack. A form of malware known as ransomware had rendered their workstations inoperable, encrypting entire hard drives of important files and sensitive information. According to a digital ransom note, victims could pay $300.00 USD in Bitcoin to have their data restored. For those unwilling to pay, the ransom would continue to increase and, eventually, their data would be erased.
“Different From Anything We’ve Ever Seen”
The self-replicating malware spread across local networks and the Internet, utilizing a known vulnerability in the Microsoft Windows (largely Windows 7) operating system. Among security experts, the most alarming feature of the cyberattack was the speed by which it spread. In the beginning, networks seemed to be infected simultaneously and, by the thousands, companies reported the incident to law enforcement. Like a traditional computer virus, the WannaCry ransomware could quickly move from host to host, infecting entire networks, then moving on to a new victim. According to Haiyan Song, an operational security leader, the attack was “Different from anything we’ve ever seen” because it combined a relatively new form of malware (ransomware) with an age-old tactic for spreading malicious programs across the Internet: “When you combine WannaCry ransomware and a worm this powerful, there’s no surprise the result is a global attack.”
Verizon’s most recent Data Breach Investigations Report (DBIR) confirms the uniqueness of the WannaCry attack. Although ransomware attacks are becoming more frequent, the report suggests that ransomware is primarily a crime of opportunity, categorizing these attacks as “high frequency, low impact annoyances.” Indeed, previous ransomware cases were opportunistic attacks that lacked technical sophistication; however, for companies still struggling to resume normal operations, the WannaCry attack was anything but low impact.
Not All Heroes Wear Capes
As screenshots of users’ locked-down PCs circulated on Twitter, one self-trained cybersecurity researcher began his investigation using a sample of the ransomware code. Marcus Hutchins, known by his handle @MalwareTechBlog on Twitter, found a lengthy, “nonsensical” string of characters buried in the malware’s instructions. Those characters corresponded to an unregistered domain address. On a hunch, Hutchins registered that domain for $10.69, then watched as thousands of computers per second – from all over the world – started connecting to it. The attackers had created a way to disable the attack; unbeknownst to Hutchins, he had stumbled upon the malware’s “kill switch.”
The Next “Big One”
Despite Hutchins’ breakthrough, the incident highlights the importance of prevention and education in addressing cybersecurity concerns. While the discovery helped contain the rapidly spreading malware strain, for the thousands of already-infected victims, the kill switch came too late. Companies without viable backups were forced to decide whether to seek out the decryption key themselves – or pay the ransom and hope that the criminals would be true to their word. As of Friday evening, the attackers’ bitcoin address has received 300 payments; however, according to some victims, their files have yet to be decrypted.
Moreover, the effects of the attack could have been much worse, as the antidote turned out to be a lucky break. With relative quickness, a hero emerged to defend the Web – a sheriff, if you will, restored order to the Wild West. Despite his recent victory, @MalwareTechBlog conceded on Twitter, “I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental.”
As for tips about preventing the next “Big One,” Hutchins recommended a familiar solution: education. In fact, after being awarded a $10,000.00 bounty for his discovery, he tweeted, “I plan on splitting it between to-be-decided charities and education.”
To those who know the industry, Hutchins’ tweet is more than just lofty rhetoric. Education could have prevented WannaCry, and cyber literacy – at all levels of an organization – can prevent many attacks to come. And while every individual at an organization has a role to play, we believe this cyber education priority needs to originate at the top – only then can cybersecurity be taken seriously, affect change, and improve user behavior.
If you are a senior business leader looking for a greater understanding of how cybersecurity issues impact your organization, start or continue your journey by requesting a private training by our team.