Businesses around the world were brought to a standstill in mid-May by the WannaCry ransomware attack. But were the affected organisations indeed victims of the ransomware, or of their own inefficiencies?
Ryan Roseveare, MD at BUI, believes the latter. He says, “IT and security professionals at affected companies have to ask themselves some tough questions. How long did it take before you became aware of the problem? Were you notified on the Friday that the attack happened? If you’re a security professional, did you know about the attack as it was in progress, or did you only find out when you arrived at work on Monday morning? What did you do in response to the attack? Did you immediately buy a piece of software to fix the problem? How many e-mails did you receive from vendors trying to sell you products after the fact, or even days later?”
The answers to these questions will define whether you have an effective security response programme in place or not.
Roseveare continues: “If you reflexively bought software, in this case you wasted your money. In fact, businesses didn’t need to spend a single cent to mitigate the WannaCry attack. The bottom line is that if your business was affected by this ransomware, your IT department or security professional either in house or outsourced didn’t do their job.
“In fact, I’d go so far as to say that if your IT security provider didn’t inform you about the WannaCry attack on the Friday as it happened, you need to look at another provider. If they sent you an e-mail marketing a product after the fact, then you need to think twice about their motivation.”
Roseveare believes that if businesses were caught out by this particular ransomware, it was entirely self-inflicted. He says, “If your IT department had been proactive and initiated a standard response process and an effective patch management and update programme, WannaCry wouldn’t have even featured on your radar. If your response was to buy software to protect yourself going forward, you’ve probably wasted your money. In fact, we’re seeing a rise of what we refer to as Ransomware as a Service –  vendors are using ransomware as a marketing vehicle to sell a product. They’re capitalising on an incident that doesn’t actually require you to buy anything, to sell you stuff you probably don’t need.
“A proper security advisor would have told you about the ransomware attack on the afternoon that it happened. If you only found out on Monday about this attack or that your business was affected, then that was far too late you did not do your job and perhaps some introspection is needed.”
Businesses must examine their security response processes in terms of how they managed the attacks. Roseveare explains: “You need to interrogate whether all of your systems could be affected all the time, in this case did you communicate to everyone in your organisation over the weekend to explain what had happened and what they should do about it? Or did you come in on Monday morning, get an e-mail from a vendor and buy some software you didn’t need?
If we look at the timeline below, businesses should have had at least three months to prepare for this particular attack. If you still got caught, then it’s time to reassess your practices and your providers.”
WannaCry timeline
- 16 January – US-CERT issues advisory on new SMB vulnerability.
- 10 February – First infection of WannaCry.
- 14 March – Microsoft releases patch for CVE-2017-0144.
- 27 March – Second wave of attacks.
- 14 April – Shadow Brokers releases EternalBlue exploit code.
- 10 May – CVE-2017-0144 exploit is added to Exploit.DB.
- 12 May – New wave of WannaCry attacks begins, using EternalBlue exploit to spread.
- 12 May – Microsoft releases CVE-2017-0144 patch for Windows XP.
- 12 May – Kill switch domain #1 is sinkholed.
- 13 May – A new version of WanaCry surfaces.
- 14 May – Kill switch domain #2 is sinkholed.
- 17 May – Notice displayed on infected computers claiming files will be decrypted if ransom is paid.
Roseveare concludes by issuing a warning: “We know that this is going to happen again, WannaCry wasn’t the last ransomware attack, it certainly wasn’t the first one, just this week there has been another outbreak and they are going to continue for the foreseeable future.
“What are you doing to protect your business? Or have you become complacent because you bought something? My recommendation is that you adopt a proactive approach, re-evaluate your policies and responses, re-evaluate your vendors!”