Life After WannaCry
Sometimes, things seem clearer after a good cry. In the case of the more than 200,000 computers rendered inoperative over the last week by the WannaCry ransomware worm, maybe even a bad cry can be a teachable moment.
Information about how to deal with the specific problem of the WannaCry malware abounds, at this point. The trade press has jumped to the task. A good summary, for example, is part of the Data Breach Today Ransomware Resource Center. If you still need specific advice about fighting WannaCry, you can start there.
It’s interesting how when one of these widely-publicized outbreaks hits the front pages of the daily press how the suggested responses either hit the very specific, e.g. Microsoft Patch MS17-010, disabling SMBv1, or they fall back on general rules for good security, such as training your staff not to click on links and attachments in email. All well and good, but is it the best help for the future?
The Big Picture
Ransomware is here to stay. The question is how it will arrive next time. Hundreds of millions of dollars have already been paid in ransomware ransoms. Professional criminals, all over the world, have discovered it’s a big, profitable business. Trend Micro reported that $209 million was paid out in the first half of 2016, for example, and the prevailing buzz is that it’s only getting worse. There are even multiple reports of ransomware “vendors” providing customer service to help people pay their ransoms!
What follows below is some hopefully helpful discussion about the pros and cons of various suggestions to fight ransomware. But first, a metaphor. We seem to be at a point in the history of cyber security that is about where public health was before the Pure Food and Drug Act.
Right now, users and their organizations bear full responsibility for the consequences of security breaches, just like people who got sick used to bear the all the consequences of improperly produced or delivered food and medicine. We need to have a meaningful discussion about whether software vendors are doing enough to protect their products from malware before they are released. We need to decide what responsibility they have. Today, it seems to be zero. I understand all the arguments about how much this would cost. Remember them when it’s your kid that’s turned away at the emergency room because the computers are down.
The WannaCry discussion has generated a lot of good, practical suggestions for protecting against ransomware in general, but there are often details that are important to remember. Here are some of the ones we worry about:
Don’t Pay the Ransom: In terms of the entire struggle against ransomware, this is a good idea. Paying the ransom rewards the criminals. It also provides them with resources to build even more effective future ransomware. On the other hand, it’s tempting to pay $300 a machine, or whatever, and be done with it. The real costs of fixing the problem yourself, including the direct costs of remediation plus the downtime, could exceed the cost of the ransom. Unfortunately, many victims report paying the ransom and not getting the keys to de-encrypt their files. So it’s a tough decision. Our opinion is to put effort now into decreasing the costs and time of remediation if ransomware strikes, so that it’s an easier choice not to pay.
Maintain backups: Great advice. You must watch out for some things, however.
- What is your recovery point objective? In other words, how much data could you lose that was created between the time of your last backup and when the ransomware hit? Adding ransomware to the mix of disasters that might require restoring from backup could suggest backing up more often, since the risk will be higher.
- Are your backups separate enough from the computers that might be infected? Backups to network drives, such as backing up from My Documents to a mapped drive on a server, are not safe. Ransomware such as WannaCry can easily propagate from clients to servers on the LAN, or even to servers on the VPN, MPLS, etc.
- If you are using cloud-based backup, is it safe? You might assume that it is, but several articles are saying that it may not be, depending on its configuration, etc. We’ve noticed that Microsoft Azure has put out specific news that backups to Azure are safe, because of special things they’ve done. What special things has your backup vendor done? Best to check.
- When was the last time you tested recovery from your backups? This has been an issue from time immemorial, but even recently some ransomware victims have reported that their restores didn’t work. You should be testing your ability to restore, anyway.
Update and Patch: Possibly the single best thing you can do. Everybody knows this, right? So it’s enlightening that so many computers got ruined by WannaCry two months after Microsoft released a patch. What happened?
- Unsupported versions of Windows (XP, Windows 8, Server 2003) didn’t get the patch in March. This shows the risk of continuing to use unsupported systems.
- The “need” to upgrade has long been a controversial subject. We need some innovative action here, but it goes far beyond the scope of this article.
- Some systems that should have been patched simply weren’t. Some patching routines require the client to be rebooted and wait for users to do that. Perhaps something more dependable should be employed.
Whitelist applications: It is possible to create environments where only approved programs will execute. This has been shown by people like the Australian Signals Directorate to be very effective in reducing the risk of malware. The usual reasons not to do it stem from the amount of work it takes and possible complaints from users about limits on what applications they can use. Which brings up another subject:
Limit administrative privileges: Malware can spread more easily from computers with higher admin rights. The main argument against this, too, is that it limits users’ abilities to download apps or otherwise change their machines. It is possible that increasing threats like ransomware will change the norm on this and make restrictions more acceptable. Also related to this is:
Use easily replaceable client software systems, be they images, snapshots, VMs or whatever. Again, the tradeoff is user choice vs ease of administration and remediation.
Use endpoint protection: This can mean simply being sure that anti-virus is kept updated and configured to scan all downloaded software before allowing anything to run. Lately, however, some software vendors have upgraded their anti-virus clients to software that does more than check incoming material against signatures. Malwarebytes, for example, offers anti-ransomware protection that goes after specific behavior associated with ransomware. Other vendors, such as Cybereason, with its RansomFree product (which is free), and CrowdStrike, also directly address the ransomware threat. It’s worth checking with your endpoint protection (i.e., anti-virus) vendor to find out what they offer.
Configure your firewalls to limit propagation: WannaCry was spread with a worm, which means that it developed lists of target IP addresses, both randomly and based on the information from the compromised client, and then sent infected SMB and UDP packets to particular ports at their targeted addresses. One experiment reported simply left Port 445 on a system open to the Internet, and in 20 minutes the machine contracted WannaCry.
Finally, yes, do get your users to avoid clicking on email attachments, links or banner ads on Websites. It is even true that malware can be downloaded from sites with infected ads even if you don’t click on them. It’s enough to suggest that users limit Web surfing at work to only what’s necessary for work. Lots of luck. You can also consider giving them all ad blocker software.