With the one-year anniversary of WannaCry (May 12th) approaching, two cybersecurity experts with Juniper Networks commented below on what’s changed and what hasn’t, and advice on what works to minimize the impacts of ransomware attacks.
Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks:
“Immediately after the WannaCry epidemic last year, most security researchers advised people to disable SMBv1 entirely and make sure SMBv2 was not exposed to the internet. One year later and we are still seeing about 2.3M devices with SMBv1 exposed to the internet, with the majority of these vulnerable machines in the UAE, US, Russia, Taiwan and Japan.
“As we continue to see successful ransomware attacks, it begs the question: why don’t people have backups of their critical data? Every board of directors should be asking its CISO about the company’s backup strategy. A ransomware attack should be a blip on the radar that wastes people’s time to restore from backups, not a week-long debacle of trying to restore service and deciding whether to pay the ransom or not.
“The same mitigation techniques that have been recommended over and over again are still relevant and effective to minimize the impacts of a ransomware attack, but it comes down to actually implementing them:
- Patch your systems quickly after a security vulnerability is disclosed and fixed.
- Backup your critical data and test your backups regularly.
- Segment your network and make sure access to different segments is on a business need.
- Do not give admin privileges to all users if not needed.
- Mount remote file systems on a system only if needed.
- Disable SMBv1 and make sure SMBv2 is not exposed to the internet.
- Invest in an advanced persistent threat detection capability which has lateral movement visibility.
Nick Bilogorskiy, Cybersecurity Strategist at Juniper Networks:
“In the year since WannaCry, we have seen some significant changes to the threat landscape dynamic – one being that we have partially moved from ransomware to cryptojacking. Ransomware attacks are only effective if the organization has failed tobackup their data, but cryptojacking and malicious cryptomining attacks do not need prerequisites. As a result, cryptojacking increased 8,500% in the last quarter of 2017 and made up 16% of all online attacks. But that’s not to say that criminals aren’t still using ransomware as well. This is evident by the SamSam attack on the City of Atlanta that caused the city more than $5 million in damage and clean-up costs.”