From hospitals to transportation networks, no target has been off limits to ransomware attacks in recent history. Now, organizations in more than 70 countries are trying to recover from a May 12 ransomware incident being dubbed the “WannaCry” attack.
In the UK, the ransomware targeted at least 16 hospitals, reportedly closing wards and diverting ambulances. But media reports also highlight activity in the U.S., China, Russia, Italy, Spain and Taiwan.
While the original source of the WannaCry attack, so called because of the “.WCRY” extension on file names, remain unclear, its origin appears to be linked to an exploit dump in mid-April in which Shadowbrokers released exploits used by the National Security Agency (NSA).
Though patches were issued to defend against the vulnerability ahead of its publication, it appears that many organizations that haven't installed the patch were affected.
According to widespread media reports, whoever was behind the multinational attack demanded $300 in bitcoin cryptocurrency, a price that would double if not paid within a three-day time period.
Mike Geraghty, chief information security officer (CISO) of New Jersey and director of the state's Cybersecurity and Communications Integration Center (NJCCIC), said officials are still sorting through the details and reports surrounding the attack, and have yet to identify any exposures within their jurisdiction.
Ransomware attacks have become an increasingly popular crime based on the relative ease of deployment, which often occurs through email phishing attempts. Once infected, an organization isn’t left with many options, said Geraghty.
“If you’re infected, you’ve really got two choices. You eat the data and say, ‘We’re not going to pay the ransom,’ or you do pay the ransom,” he explained. “We advise not paying the ransom because as more and more people do pay it, obviously, it emboldens the attackers that are doing this and it will continue to grow, and grow, and grow, and grow.”
The NJCCIC has so far identified around 162 common ransomware variants, roughly half of which have a known decryption tool or solution available.
The best defense comes down to a combination of layered security and end-user awareness. Though he ventured the guess that many of the affected organizations were behind firewalls, he said they likely allowed connections into Server Message Block protocol ports rather than blocking them.
“Only services that are necessary should be allowed at the firewall," Geraghty said. "From there, you have to be filtering the data coming into the network, you have end-point protection, which is any malware stuff, you’ve got your Web gateway and mail filtering to block malware within email or coming through websites and such.”
Missouri CISO Michael Roling agrees that addressing the threat of ransomware boils down to three key areas: consistent system backups, vigilant patch management and solid end-user awareness.
“As we’ve seen with the attacks today, the dust is still settling, but the bad guys are using known vulnerabilities to distribute their ransomware. These vulnerabilities were patched back in March …, so having good cyberhygiene and being able to properly manage your workstations and servers is vital.”
Though he was reluctant to comment on where a state like his would see the most risk from such a widespread attack, he would say the threat posed by ransomware became clearest to cybersecurity professionals in 2016 when attackers essentially shut down Hollywood Presbyterian Hospital.
“Up until that point, ransomware, everyone knew that it would encrypt your data and if you had backups, perfect; if you didn’t, you’re left with a tough choice," he said. "But when that occurred, I think we all realized the significance of what could happen to public safety and human lives."
To better position the state of Missouri against the larger threat, Roling said agencies need to have solid data classification practices in place to ensure successful backups.
“Backups require agencies and other government entities to understand what needs to be backed up," he said. "The tried and true method of doing data classification is absolutely vital in ensuring protections against a ransomware attack.”
What’s more, he advocates for table-topping hypothetical incidents to find the gaps in communication and process and better prepare teams to respond real-world incidents.
This preparation requires a host of federal, state and local intelligence sources, but also industry and native Internet sources.
“Traditionally they know what to do, but what tabletop exercises do very well is point out communication gaps and ways of streamlining those processes in the future," Roling said. "I think that is critical.”