South Korean consumer electronics company LG has reported to the Korea Internet & Security Agency (KISA) that it has suffered a ransomware attack on one of its service centres in Korea according to The Korea Herald, with reports saying it is the WannaCry ransomware.
Dr Jamie Graves, CEO at ZoneFox emailed SC to note that, “at this stage it seems that the code used is identical to WannaCry, which swept across the world in May, with devastating consequences.
“LG is of course a huge business and the fact it is based in South Korea will immediately raise questions - many pointed the finger at the country's noisy neighbour when the WannaCry attack happened. The firm is saying it managed to block this latest attack, but if the code is written by the same criminal forces that were responsible earlier this year, it's likely that more organisations could be affected.
“The most worrying thing is that this shows that not enough lessons are being learnt - and there is still failure to keep IT systems constantly updated, despite the relentless barage of attacks we are seeing. The speed and sophistication with which these cyber-crooks operate is exceptional. Every organisation must ensure they have the latest technologies in place, which provides them with a 360-degree, 24/7 visibility of activities and behaviour around business-critical IT systems."
Jason Allaway, VP UK and Ireland of RES, now Ivanti, concurred that, “Ransomware is not going to go away and firms, big or small, have to start taking the security of their perimeters seriously.
“In order to do this, firms need to be investing in education and proven technology such as context-aware access controls, comprehensive blacklisting and whitelisting, read-only access, automated deprovisioning and adequate back-ups to both prevent and combat this global problem.”
Jovi Umawing, malware intelligence researcher at Malwarebytes comments, "No country is safe from ransomware, ...There are several worms that are constantly scanning the Internet for vulnerable hosts. WannaCry - which never really went away - and its variants with or without the killswitch, are one of them. Therefore existing infected machines will continue to 'broadcast' to the outside until they are taken offline. In the meantime, any computer that has its SMB ports exposed and where the patches haven't been applied, will be compromised when it comes up online.
Umawing also cautions: “Although ransomware is what most are focused on at the moment, remember that other malware can also take advantage of a number of vulnerabilities that WannaCry attacks. The worm, MicroBotMassiveNet, is one example. We cannot stress enough on the importance of keeping and maintaining an up-to-date system."
In a later email from Dean Ferrando, EMEA manager at Tripwire he explains how later reports, “... suggest that the company had not applied all the security updates available from Microsoft. This highlights something that we already knew - many organisations are not good at applying software security updates. Applying available patches is one of the easiest ways to keep an organisation safe from new attacks however, the unfortunate truth is that, despite the warnings and advisories to patch and secure the systems, there will always be a system that is missed. Complacency could be another reason why new outbreaks are being discovered - some companies may feel that because they were not impacted in the immediate period of time afterwards, they won't be infected as the controls they have in place are working without checking. Conficker hit us in 2008 with a similar attack, causing an outbreak globally. Companies patched and secured their systems but months after the outbreak, Conficker was still infecting companies that hadn't taken the necessary precautions.
Ferrando concludes with a message that the industry appears to need to say again and again: “Some simple controls that could help prevent the spread of the WannaCry outbreak can be adopted with minimal cost to companies and as these controls have not been applied, we will hear more additional outbreaks. Companies that haven't recovered would suggest a more severe problem – no disaster recovery plan, backups or no internal process or control to apply patches and secure systems. It could be that these companies need to recover the encrypted data to resume operations, and if that's unlikely, may have to start again in rebuilding their systems, or reverting to old backups."