What is the security industry saying about WannaCrypt0r ransomware?


With the NHS still struggling to restore systems after being caught up in the world’s biggest ransomware attack over the weekend, IT Security Thing has been getting a handle on the industry perspective regarding WannaCrypt0r.

First though, let’s get a few things out of the way in order to clarify what has happened:

1. This was not an attack targeted at the NHS. It was a global attack on organisations that had not patched a known vulnerability within the Microsoft Windows Server Message Block (SMB) protocol. A vulnerability that had been patched two months back in the MS-17-010 critical security bulletin update.

2. This was not any old ransomware malware, it was ransomware attached to a worm. A worm made possible by the NSA as it exploits a Microsoft SMB vulnerability (EternalBlue) that was developed by the National Security Agency. The exploit code was leaked by Shadow Brokers, and someone unsurprisingly put it to use here.

3. This should not have been unexpected by the NHS in particular, plenty of people have been warning of just such a risk from unpatched legacy software and systems. Including, funnily enough, me. In fact I published this specific warning in a health industry publication just days before the attack hit. Or how about this about the fact that some NHS Trusts spent a big fat ZERO on cyber security, from these very pages? Or this asking is the NHS was ripe for a ransomware attack almost exactly a year ago?

OK, so what has the wider security industry been saying as the dust starts to settle?

Gavin Millard, EMEA Technical Director of Tenable Network Security: “With the success of the initial infection of WannaCry, it wouldn’t be at all surprising to see the next iteration released soon. Although there has been a significant amount of interest in the media and inescapable coverage of the outbreak, many systems will still be lacking the MS17-010 patch required to mitigate the threat. “For users that are rightfully concerned about another wannacry wave, updating their system to remove the vulnerability that it targets and blocking SMB traffic (Ports 139 and/or 445) to any system that can’t be updated is critically important.”

Chris Doman, security researcher at AlienVault: “New variants today are now spreading with a modified kill-switch domain. Someone, likely different to the original attackers, made a very small change to the malware so it connects to a slightly different domain. That allowed it to continue propagating again. The internet scanning service Shodan shows approximately half a million networks with the vulnerable service exposed to the internet in the US, and almost 20,000 in the UK. Most of those systems will have been patched by now, but a significant proportion won’t have been.”

Javvad Malik, security advocate at AlienVault: “Regarding blame, it’s not a simple or straightforward case of placing the blame on any one aspect. On one hand, there’s a debate ongoing about responsible disclosure practices. Should the NSA have sat on vulnerabilities for so long that when Shadow Brokers released the details it left a small window for enterprises to upgrade their systems. On the other hand, there are several so-called “simple” steps the NHS or other similar organisations could take to protect themselves.”

Becky Pinkard, VP of service delivery and intelligence at Digital Shadows: “So far, we have discovered there are still 1.3 million externally accessible Server Message Block (SMB) services on port 445 – the latest Microsoft Security patch MS010-17 will have remediated some of those, but nonetheless that’s still a LOT of attack space to take advantage of from a ransomware perspective. These are used to provide access to files, printers, serial ports, and other sorts of communications between nodes on a network for Windows machines. The good news for worldwide healthcare organisations and other businesses is that this threat is very stoppable as MS010-17 only needs to be applied. There are other methods of mitigating the risk available as well – from the application of access control lists to host-based hardening and even shutting off SMB services within the windows environment.”

Nik Whitfield, CEO, Panaseer: “The chaos faced by the NHS is a direct result of poor cyber hygiene. The bigger the organisation, the more challenging it is to maintain ‘basics’, which include being clear on hardware assets, monitoring vulnerabilities and (crucially in this case) applying priority software patches. The underlying issue with cybercrime is that the relationship between cybercriminals and organisations is asymmetric – the criminals only need to succeed once, whereas defenders have to get it right every single time. It is becomingly increasingly impossible for organisations to be 100% secure – the key is ensuring that they are ‘secure enough’. In a complex technology environment, like the NHS, cyber hygiene can be a huge challenge but the risk of neglecting it means that it was only a matter of time before an attack was successful.”

Ilia Kolochenko, CEO of High-Tech Bridge: “It would be unreasonable and inappropriate to blame the NSA for any significant contribution to this attack. Similar zero days are bought and sold almost every day, and many other organizations participate in these auctions – virtually anyone can (un)intentionally leak an exploit and cause similar damage. The real problem is that in 2017, the largest companies and governments still fail to patch publicly disclosed flaws for months. Practically speaking, the NSA doesn’t really need a zero day to get their data – their negligence “invite” attackers to get in.”

Vijay Michalik, Industry Analyst, Digital Transformation, Frost & Sullivan: “We are nearing an inflection point in cybersecurity across both government and the private sector, although key barriers remain such as lack of technical understanding and reticence to invest. Businesses need to invest heavily to match the growing threat of cybercriminal activity, in each of technology, internal security personnel and training of general staff to identify and avoid threats. Key sectors such as healthcare will be pressured to adapt by governments if they will not do so of their own volition, with an annual growth rate in healthcare cybersecurity of 13.6% in the US alone.”

Oz Alashe MBE, CEO CybSafe: “It’s very concerning to see public services being targeted with the sort of devastating attack that is currently in progress at the NHS. The healthcare sector has been found to be the industry most targeted by cybercriminals and in most cases these breaches occur though rudimentary hacking techniques. The healthcare sector needs to increase its level of cybersecurity knowledge in order to prevent these attacks. We won’t know the full extent of the breach for the foreseeable future, and the motives for the attack will be key in determining how the healthcare industry moves on and learns from this breach. For example; this could be the result of a ‘script kid’ doing it because he/she can, an organised criminal group for extortion purposes or an antagonistic nation-state intent on causing chaos and disruption. Learning from the motives and the techniques used in this breach will ensure that the NHS is better prepared, through technology and staff education, for any similar attempts in the future.”

Karl Sigler, Threat Intelligence Manager at Trustwave: “Despite a patch being available, this didn’t appear to slow WannaCry down. While many blame system administrators for not patching the systems under their control, a complicating factor is the still wide spread prevalence of Windows XP and Windows Server 2003. Both of these operating systems have passed their “end-of-life” and are no longer issued patches. In order to help stem the widespread exploitation used by WannaCry, Microsoft made the rare move of pushing out a patch to those end-of-life systems yesterday.”

Andrew Stuart, managing director EMEA, at Datto: “The WannaCry ransomware attacks hit the headlines because they did so much damage to such high profile targets. But the attacks on the NHS are just part of the story. Smaller businesses are just as likely to be hit by this worm as well as the new variants that the NCSC is warning us to expect this week. The struggle for smaller firms is they don’t necessarily have the resources to call in experts to clean up their networks in the aftermath of an attack such as this. When small business owners arrive at work this morning it is vital that they do three things. Firstly, they need to make sure all their laptops and computers have the latest Windows Update. Secondly, they need to make sure their anti-virus software is updated. Thirdly, they need to ensure that their data is backed up.”

Catalin Cosoi, Chief Security Strategist at Bitdefender: “WannaCry 1.0 and 2.0 are just the beginning. It’s probably going to get worse before it gets better, as it’s going to be one of the most serious threats for the following 12 months. Unless, Microsoft decides to do something about it, such as force an update. It has been done before and the scope of the current threat could justify doing it again, in a controlled and coordinated manner, with support from authorities and the security industry. Although borderline legal, our experience with cyber-crime has proven that legislation is often lagging when it comes to regulation, which is why cooperation between law enforcement and security vendors is needed now more than ever.”

Adam Meyers, Vice President at CrowdStrike: “It is important to recognise that patch roll-outs are complex. High profile patch fiascos have made IT departments wary of automatic patch installations. Organisations often run testing, to double check that applying the patch does not knock over their IT systems. Any window between the known vulnerability and the patch is critical. Two months arguably is too long. But, organisations need an intelligent endpoint protection system that can operate at machine speed during that window of opportunity.”

Emily Orton, Director and co-founder of Darktrace: “Friday’s attack has shown that it is very difficult to keep up to date with security and the old approaches to keeping attackers out fail. New approaches detect threats in the earliest stages, so damage can be mitigated. In the latest generation of AI-based cyber defence, the software can spot an attack and take action against it, even before humans have had time to notice.”

Myles Bray, EMEA VP, ForeScout Technologies: “Things like MRI machines, operating room equipment, security cameras, patient monitors and wireless printers often come with a default password, and unless they are regularly updated with the latest security software, offer a vulnerable back door into an organisation’s wider systems. The only way to protect against this is to have complete visibility of all devices on a network at all times, and the ability to understand and control the devices and their levels of access across the organisation’s network. Given the lack of security built into many devices from manufacturers, this is something that organisations like the NHS need to apply for themselves.”

Gérard Bauer, Vice President EMEA at Vectra Networks: “With the UK government setting its sights on a renewed paperless strategy for the NHS during this decade, including another go at digitising all patient data, UK hospitals represent a tantalising target for cybercriminals. The ongoing proliferation of poorly secured IoT-connected devices in the NHS hasn’t helped either and can provide an easy backdoor for malicious hackers. Without robust security defences in place, sensitive patient data and connected medical devices are ripe for the picking…”

Nathan King, director at Cyberis: “It is well-established that the health sector is an industry which has been specifically and repeatedly targeted by cyber attacks and therefore the NHS should have clearly identified the threat as a priority for vulnerability management and predicted such incidents. Managing the threat and related vulnerabilities is not straightforward as it involves people, process and technology controls to be fully effective. Practically, there is no 100% effective defence strategy. For the NHS, the logistics of coordinating the deployment and management of the controls would not be easy and the associated costs likely to be high.”

David Kennerley, Director of Threat Research at Webroot: “It goes without saying that organisations should test their disaster recovery plan (DRP) regularly. This will help them understand the time it will take to restore systems to a useable state and what data is likely to be lost due to back up schedules. If this disruption is due to ransomware it will be interesting to hear what option the trusts intend to take. Let’s hope they are all prepared, with the required backups readily available. The danger with paying the ransom is there’s no guarantee they’ll recover their encrypted data and this only makes ransomware more successful in the long run for hackers.”

Nick Pollard, Security Intelligence & Analytics Director at Nuix: “The increase in ransomware attacks has motivated more organisations to craft new endpoint security plans beyond traditional antivirus and host intrusion prevention systems. But within these plans, ‘Detection and Response’ on its own is no longer an adequate form of defence. Prevention needs to be at the forefront of any ransomware strategy. Since the endpoint is ground-zero for ransomware attacks, what the NHS needed was the ability to detect and put a stop to malicious behaviour as early as possible in the kill chain.”