psdesign1 - Fotolia
Ransomware is one of the most popular cyber attack methods, but WannaCry could potentially change this, said Rik Ferguson of Trend Micro, speaking in his capacity as cyber security advisor to Europol.
“WannaCry was a very amateurish attempt to weaponise something that was very professional,” he told Infosecurity Europe 2017 in London.
“The coding, encryption and decryption were shoddy while the key management and decryption processes were poorly designed.”
The poor attempt to make use of exploits supposedly developed by the US National Security Agency (NSA) and leaked by the Shadow Brokers hacking group broke the trust that ransomware relies on.
“The biggest thing wrong with [WannaCry] is that it broke the trust model that ransomware feeds on because it relies of the fact that if the ransom is paid, data is restored,” said Ferguson.
“However, the more it becomes apparent that paying the ransom does not necessarily mean you get the data back, the less likely people are to pay,” he said.
According to Ferguson, this could be the most positive result from the WannaCry attacks that hit more than 200,000 computers in 150 countries in mid-May 2017.
“Breaking the trust model may just kill the goose that laid the golden egg from the criminals’ perspective because it has made people aware that, even if they pay the ransom, there is no guarantee they will get their data back, and that they do have to focus on other methods of mitigation and recovery,” he said.
Media interest boosts ransomware profile
The second positive thing about WannaCry, said Ferguson, is that the media attention it was given has served to boosted the profile of ransomware.
“This will hopefully result in more individuals and organisations paying more attention to vulnerability management, patch management and backup management. So there are a lot of good stuff that could come out of WannaCry,” he said.
As a result of these two positives, Ferguson said while 2016 and early 2017 saw ransomware increase rapidly in popularity as attackers invested time and effort in developing new families of ransomware, the latter half of 2017 could see the steep rise of ransomware begin to plateau and even decline.
“I think the rate of expansion and investment [of ransomware] won’t continue,” said Ferguson, especially as more people and organisations refuse to pay the ransom. But while this may lead to a decline in ransomware as an attack method, he cautioned that the criminals will only move to some other way of making money.
Data backups and access controls
In the face of the significant ransomware threat, Ferguson said there has been some good cross-industry collaboration, such as the No More Ransom initiative, which is an online portal aimed at helping victims of ransomware to recover their data without having to pay ransom.
The portal is also aimed at informing the public about the dangers of ransomware, and was started as a joint initiative by the Dutch National Police, Europol, Intel Security and Kaspersky Lab, but has since been joined by other partners.
Ferguson said organisations can reduce the likelihood of needing to pay ransom or losing data by ensuring they do regular data backups and that those backups are stored offline.
“Revisit your backup regime, and make sure you always have at least one backup mechanism that is offline to give you space to recover,” he said.
Ferguson also advised organisations to review their data access controls to ensure access rights are given only to employees who need it. “Follow the principle of least privilege, and if people only need to read files, give them read-only access,” he said.
Finally, he said organisations should make sure they keep current with patching that is appropriate for their organisation and ensure all employees know how to recognise current threats and how to respond.
Keeping all systems and software fully patched at all times is not possible, said Ferguson, but he said organisations need to patch for the things they are most vulnerable to.
“We talk too much about patch management. We need to talk more about vulnerability management. It is about making sure you are aware of which vulnerabilities exist in your organisation, and about making sure you can do something to mitigate the exploitation of those vulnerabilities,” he said.
Read more about WannaCry
- Computers running Windows 7 accounted for the biggest proportion of machines infected with the WannaCry ransomware, while NHS suppliers are blamed for hampering patching by NHS trusts.
- Security advisers are urging organisations to patch their Windows systems to avert a possible second wave of an unprecedented, indiscriminate ransomware attack.
- A failure by many organisations to take cyber security seriously has long been blamed on the lack of a single significant event to shake things up.
- WannaCry reveals some important facts about our dependence on the internet and IT.