New reports from leading cyber-security vendors have revealed a surprising trend as far as the ransomware attack vector is concerned: WannaCry just refuses to die. According to Trend Micro and Kaspersky, two years and several patches later, WannaCry remains the single most active ransomware family.
WannaCry accounted for nearly a quarter of all detections (23.37 percent), said the Kaspersky IT threat evolution Q2 2019 report. "The infamous WannaCry remained the most detected ransomware family, with numbers that far exceeded those of the other ransomware families combined," said Trend Micro’s 2019 mid-year security roundup report.
The big question, then, is why won't WannaCry die?
"The persistence of WannaCry is less to do with criminal chancers, and more due to its nature," Bharat Mistry, principal security strategist at Trend Micro, told SC Media UK. "It’s a worm."
Mistry warns it’s hard to say whether we’ll ever be able to fully eradicate WannaCry. "Its lingering effect is likely due to its existence in older and less secure networks," Mistry noted.
About 95 percent of the detected WannaCry attacks were targeted at Windows 7 devices, said the Trend Micro report. According to the Kaspersky report, 47 percent of SMBs and enterprises are still running Windows 7. Many of these are not just legacy systems, but mission-critical legacy systems, deepening the impact of a possible attack.
"The widespread use of Windows 7 is concerning as there is less than six months to go until this version becomes unsupported," said Alexey Pankratov, enterprise solutions manager at Kaspersky. "An old unpatched OS is a cyber-security risk. The cost of an incident may be substantially higher than the cost of upgrading."
The organisations using Windows 7 for mission critical systems are expected to be proactive in patching. They are not, say the researchers.
"Many organisations still operate with an ‘If it ain’t broke don’t fix it’ mentality when it comes to cyber-security," said Mistry. "Unfortunately, as is usually the case in instances of ransomware, once organisations realise their defences are ineffective, it’s already too late."
Mistry advises that an effective strategy against the likes of WannaCry should incorporate a Recovery Time Objective – the time it will take for a firm to recover from an incident – as well as the Recovery Point Objective – the amount of data a firm can actually afford to lose.
"We advise that any strategy follows the rule of: three, two one. This means three copies of a backup, on two different media types and one off site copy," Mistry concluded.
Ian Thornton-Trump, head of cyber-security for Amtrust International, said we need to rewind back from the clearing up after WannaCry advice and understand that WannaCry is a payload.
"In order to get Wanna’cried, a lot of bad things have to happen first," Thornton-Trump told SC Media UK.
According to him, everything starts with an exploit. EternalBlue, which is at the core of WannaCry, is a nation-state level, Server Message Block protocol exploit developed by some of the brightest and devious minds at the NSA’s Tailored Access Operations (TAO). "It’s reliable, modifiable, flexible and super simple to use – this is all kinds of bad," Thornton-Trump warned.
Then there's DoublePulsar backdoor implant tool, "brought to you from those same NSA badass teams" and the payload that can be "anything from Mimkatz (credential stealing) to ransomware".
Blocking one port, 445, from inside the network to the outside world at the boundary firewall shuts this entire attack chain down, Thornton-Trump said. "That's right, one port is between you and getting pwned by the exploit, the Trojan and the payload."
Technological debt and poor asset management within the enterprise is at the heart of the problem here, he pointed out.
"Decommissioning old systems, especially ones that can no longer be patched or updated has to be a priority. The better you are at knowing what you have and what it is vulnerable to is the only way to protect your organisation against exploitation," Thornton-Trump concluded.
Dr. Magda Chelly, managing director at Responsible Cyber and a 'CISO On Demand', points out that vulnerabilities management and monitoring are "critical and complex tasks" that within a big multinational "are absolutely not trivial and might fail due to people, technology or process".
Taking a practical view of an enterprise operating globally with over 500 servers, and a security team of less than 20 people, Chelly warns that the reality is far from ideal. "Vulnerability management remains a very complex and hard domain to manage. It is really important to have a holistic approach across the various pillars: technology, people and process," Chelly told SC Media UK.
In order to develop and implement an adequate vulnerability management programme, Chelly advises organisations to define a strict patch management and stick to it.
"Make it simple but take into consideration the workload of your team. Prioritise as you won't be able to patch it all as vulnerabilities are discovered every day, and monitor/discover your assets again and again and again."