How can organisations prepare for future attacks beyond ransomware?
How can organisations prepare for future attacks beyond ransomware?

The repercussions of the recent WannaCry and NotPetya attacks were felt across the globe and, with The Shadow Brokers promising another data dump in the near future, the world should be prepared for similar attacks.

Although the impact of these recent attacks has been huge - in terms of downtime and massive disruption to operations - the unfortunate reality is that ransomware is just one of the cyber-weapons in the attacker's arsenal of tools. More sophisticated attacks, using data trojans or remote access tools, could prove more lucrative for attackers and have devastating consequences for the organisations impacted. 

WannaCry - from a money-making perspective - wasn't particularly successful. In fact, at the time of writing no withdrawals have been made on the bitcoin addresses used by WannaCry (Editor's note, subsequently, on 2nd August £110,000 was withdrawn from three bitcoin wallets linked to the May 2017 WannaCry ransomware attack and transferred the funds into several additional accounts - still a relatively small sum compared to the global spread of the ransomware). This isn't to say organisations were not hit hard. The NHS, for example, had to take multiple critical services offline and cancel numerous operations. But what if the attackers hadn't just focused on this Windows vulnerability using solely ransomware? What if WannaCry had just been the distraction? If the attackers had targeted the NHS with a view to stealing patient data, it would have been much more expensive for Trusts to investigate evidence of breach as well as dealing with the costs of a ransomware clean-up. We can only imagine the chaos the release of sensitive health data would cause. For example, they then would have had the power to choose to leak the medical status of those patients in prominent positions – their health, their lifestyles, their preferences. This scenario also applies to other organisations and we have seen similar incidents already where credit card details have been stolen, credentials abused and inboxes publicly leaked as was the case during Hillary Clinton's Presidential campaign.

It is interesting to note, however, that some researchers have begun to suspect that both NotPetya and WannaCry were not designed as a money-making schemes but as opportunities to embarrass the NSA by wreaking havoc with its own tools, and that NotPetya was designed to disrupt the Ukrainian infrastructure. In some ways, we're lucky ransomware payload attacks such as these are so visible. They give organisations the opportunity to see how vulnerable they really are and provide an opportunity for them to change their security strategies. On the other hand, many now believe that ransomware will only get worse before it gets better, becoming more advanced and more difficult to remediate, targeting systems that are more difficult to backup and decrypt using the tools available online.

The future of ransomware is here

There is no doubt that another attack is on the horizon and, with The Shadow Brokers having released further information and pricing details about its monthly data dump ‘service', who knows what will happen the next time around. For a monthly fee of around £15,000, anyone can access the latest trove of tools. Wouldn't it be horribly ironic if the actors behind WannaCry or NotPetya used their ransom payments to fund the next set of tools?

Ransomware has been thrust into the public eye and, while we hope organisations will have security front of mind, it's optimistic to think we'll see a significant decrease in attacks. However, investing in next-generation protection - based on machine learning, artificial intelligence and threat behaviour recognition - combined with timely patch updates and an effective backup system, means organisations can be protected from the malicious actors seeking to leave destruction and devastation in their paths.

Contributed by Tony Rowan, chief security consultant at SentinelOne

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.