5 years on from one of the world’s most damaging ransomware attacks, research from network detection and response leader ExtraHop has found that 68% of enterprises are still running insecure protocol that were exploited by the North Korean ransomware.
Five years have passed, but WannaCry is still around. As a worm, it can spread on its own, and unfortunately, because there will still be vulnerable, unpatched systems out there on the internet, it remains a threat. At Unit 42, we still see the occasional sample of WannaCry being analysed in our systems based on what customers are seeing in their networks. It\’s likely this is due to the worm attempting to spread using its built-in windows exploits, which may or may not be successful.
At the time, it was a shock to many since worms were not common five years ago, especially not when combined with such a powerful and prevalent exploit as the one used. Even before this period, patching vulnerabilities was high on the list of things to do in order to better secure networks from attacks. However, the WannaCry event served to bring this point front and centre for many businesses.
Since then, we\’ve seen more worms using similar vulnerabilities and we\’ve also seen an increase in the number of vulnerabilities in general. Couple this with the growing list of software used by many organisations now, and the attack surface area remains great.
It\’s likely impossible to patch everything in every network, so organisations should prioritise based on what the systems are and whether they play a key role in serving or protecting company assets, or based on threat intelligence data that could inform which vulnerabilities are actively being targeted by threats and threat actors that could pose a risk.
This May marks five years since the WannaCry ransomware attacks devasted the public sector. In those intervening years, ransomware has become the top cybersecurity threat, driven by factors such as more sophisticated phishing attacks, the growth of Ransomware-as-a-Service and the increasing popularity of cryptocurrency.
As traditional defences continue to fall short in keeping ransomware out, it’s essential that organisations focus greater attention on being able to recover quickly from an attack, ideally without having to pay ransom. The best way to do so is by having an immutable data backup copy. Data immutability ensures that once data has been written, it can’t be changed or deleted. This prevents cyber criminals from encrypting the data and enables ransomware victims to restore the unencrypted backup and resume operations, without paying ransom.
In addition, organisations should encrypt sensitive data, both in flight and at rest, to counter the other form of ransomware extortion. Encryption prevents cyber criminals from reading or making data public in any intelligible form.
The events of May 12, 2017 live on in cybersecurity lore. WannaCry revealed just how extensive the damage caused by ransomware can be if deployed in large scale – from downtime to ransom paid to reputational damage. Yet despite the danger, ExtraHop recently found that 68% of organizations are still running SMBv1, the protocol exploited in the WannaCry attacks that has been publicly deprecated since 2014.
I’d advise organizations to take this day to focus on two areas to help their security posture.
First, acknowledge the danger outdated, legacy technology poses. If you’re unable to update or patch, make sure you have good visibility into it, including both north-south and east-west activity. The adage you can’t protect what you can’t see has been around for a long time for a reason – it’s true. The scramble around Log4J and Spring4Shell proved how important it is to know exactly what is running on your network. I see new users who are surprised by Log4Shell vulnerabilities still open in their network.
Second, focus on the incident response process. How long will it take your organization to push an update or patch if a new vulnerability is released? Our research shows that only 26% of enterprises can respond in less than a day—probably fast enough to prevent most attacks, while 39% take one to three days, 24% take up to a week, and 8% take up to a month. Put in place steps now to enable your team to take action quickly including having the right visibility tools, downtime processes, and support from leadership to push through critical updates.