In the ongoing international WannaCry ransomware saga, today Reuters reported from Moscow that Russia’s postal service was hit by WannaCry ransomware last week and some of its computers are still down, three employees in Moscow said, the latest sign of weaknesses that have made the country a major victim of the global extortion campaign. IT security experts from Cyphort Labs, Tripwire and FireMon commented below.
Mounir Hahad, Ph.D., Senior Director at Silicon Valley-Based Cyphort Labs:
“We are not aware of organizations with consumer facing services that are down.
It is surprising that this particular service is still down. I suspect this has nothing to do with encrypted files. The computers are probably infected in a way that did not trigger the encryption of data (thanks to the kill switches) and that the IT team fears the ransomware would be awakened and start infecting other computers. We already know of DDoS attacks against the kill switches that could indeed bring to life zombie infected computers.
Given these computers may still be running unsupported Windows XP operating system, it may be a while before they are upgraded to a newer OS, especially if postal applications need to be certified on a new OS before being put in production.
Going back to Windows XP would be a mistake in my opinion. There could be more yet to be disclosed vulnerabilities on this OS which Microsoft no longer supports and cyber criminals would be happy to take advantage of that.”
Paul Norris, Senior Systems Engineer, EMEA at Tripwire:
“After almost two weeks since WannaCry hit the world causing widespread disruption, there are still stories breaking where organisations have just fallen victim to the attack. Some companies have not recovered from the attack yet.
It begs the question, with all the exposure this cyber-attack generated, dominating headlines, endless blogs written about it, why are companies still being attacked?
The unfortunate truth is that, despite the warnings and advisories to patch and secure the systems, there will always be a system that is missed. Worse still, companies have not reacted quickly enough as time, effort and money has to be sort to protect these systems. Complacency could be another reason why new outbreaks are being discovered… some companies may feel that because they were not impacted in the first two weeks, they won’t be infected as the controls they have in place are working without checking.
Conficker hit us in 2008 with a similar attack, causing an outbreak globally. Companies patched and secured their systems but months after the outbreak, Conficker was still infecting companies that hadn’t taken the necessary precautions.
Some simple controls that could help prevent the spread of the WannaCry outbreak can be adopted with minimal cost to companies and as these controls have not been applied, we will hear more additional outbreaks. Companies that haven’t recovered would suggest a more severe problem – no disaster recovery plan, backups or no internal process or control to apply patches and secure systems. It could be that these companies need to recover the encrypted data to resume operations, and if that’s unlikely, may have to start again in rebuilding their systems, or reverting to old backups.”
Paul Calatayud, Chief Technology Officer at FireMon:
“It is not a surprise that these systems are still down. If they were critical to operations and now hit with malware, it’s now about recovery and restoration. And keep in mind, restoring a system prior to exploit means it’s once again vulnerable to the same exploit until it has been patched.”