The news of a massive cyber-attack on NHS hospitals across the country last Friday was to most people shocking and unexpected. As the story broke, however, it quickly became apparent that this was only the tip of the iceberg. It was spreading fast, and soon companies and organisations from around the globe were putting their hands up to report that similarly crippling attacks had taken place on their computer networks.
For many people, WannaCry (as it has been dubbed) was the first time they’d heard of ransomware. Others had only a vague awareness of the problem. One thing I can guarantee though is that after the weekend’s events, vastly more people are aware of ransomware, and about its crippling effects on IT systems.
As a threat researcher at cybersecurity company Kaspersky Lab, the news highlighted to me the fact that cyber-attackers are becoming ever more creative and professional. What’s more, it supported Kaspersky Lab’s recent prediction that cybercriminals are extending their attention beyond attacks against private individuals to targeted ransomware attacks against businesses and other organisations.
There are different motives for all kinds of cyber-attack, ranging from financial gain, the desire to make a social or political point, cyber-espionage or even, potentially, cyber-terrorism. But in the case of ransomware, it’s fairly clear that financial gain is the driving factor.
The criminals behind WannaCry reportedly asked for $300 – quickly rising to $600 – to decrypt files. While this might seem like a small price to pay to restore access to your files, we would strongly recommend never doing so. The last thing you want to do is reinforce this business model! The only way ransomware such as this continues to grow in popularity is because the criminals behind it see a financial gain in doing so. Remove the reward, and you extinguish the threat.
What can be done?
It demonstrates the need for businesses to segment their network to ensure that in such attacks other aspects of the network, beyond the group of computers that is first compromised, are not affected. In addition, consider your identity access management controls – don’t give admin rights to users by default and only allow access to data on a ‘need to access’ basis.
It also reinforces the notion that security should be seen as an ongoing process that can’t be fixed just by deploying an out-of-the-box solution. It must include policies to manage updates across different systems within the organisation and a programme to develop greater security awareness among staff.
To help small business owners better protect themselves from the WannaCry ransomware attack, and any such future attacks, we recommend the following:
- Conduct proper and timely backups of your data so it can be used to restore original files after a data loss event.
- Visit the “No More Ransom” website, a joint initiative between law enforcement and IT Security companies designed to help victims of ransomware retrieve their encrypted data without having to pay the criminals.
- Audit installed software, not only on endpoints, but also on all nodes and servers in the network, and keep it updated.
- Conduct a security assessment of the control network (i.e. a security audit, penetration testing, gap analysis) to identify and remove any security loopholes. Bringing on interim security consultants who can offer in-depth, best practice insights could assist your existing team with this exercise. However, be sure to review external vendor and third party security policies in case they have direct access to the control network.
- Request external intelligence: intelligence from reputable vendors helps organizations to predict future attacks on the company.
- Educate your employees: paying special attention to operational and engineering staff and their awareness of recent threats and attacks.
- Provide protection inside and outside the perimeter. A proper security strategy has to devote significant resources (personnel hours, budget and time) to attack detection and response in order to block an attack before it reaches critically important objects.
- Use a security solution with behaviour based detection technologies. These technologies can catch malware, including ransomware, by watching how it operates on the attacked system and making it possible to detect fresh and as yet unknown samples of ransomware.
It may seem daunting to some small business owners, but in an increasingly digital world, strong cyber-security and good security practices are increasingly important. If you don’t get it right, as the world has just seen, it can all go wrong… quickly.
David Emm, Principal Security Researcher at Kaspersky Lab
David has been with Kaspersky Lab since 2004 and is a member of the company’s Global Research and Analysis Team. He has worked in the anti-malware industry since 1990 in a variety of roles, including that of Senior Technology Consultant at Dr Solomon’s Software, and Systems Engineer and Product Manager at McAfee. In his current role, David regularly delivers presentations on malware and other IT security threats at exhibitions and events, highlighting what organisations and consumers can do to stay safe online.