The recent ‘WannaCry’ ransomware attack sent ripples through organizations around the world – disabling “some 200,000 computers in more than 150 countries” and shutting down operations at major institutions such as the United Kingdom’s National Health Service (NHS). While the immediate threat may be over, organizations should still be concerned, as reports indicate that copycat and other similar attacks are likely to follow. The question for many is, “how do you prevent such an attack?” CREATe’s work, research and insights from our cybersecurity Advisory Council and other experts, confirm that a proactive, preventative approach based on addressing business controls associated with “people, processes and technology” provide the most effective way to ensure that protections are embedded across an organization.
According to Microsoft ransomware stops users from being able to use their devices, locking them down and holding their files for ‘ransom.’ Initially ransomware was spread by email and online advertisements; however it has evolved to become automatic and self-perpetuating.
The WannaCry ransomware program locked down computers around the world with the hackers demanding a ransom to be paid in the virtual currency of bitcoin. There are two prevailing theories on how the ransomware spread throughout networks. Initially, phishing, the opening of an infected email attachment, was suspected however cybersecurity experts say they have ruled that out. The theories now concern port 445, which is a digital computer outlet that is not normally connected to the internet. Port 445 is usually for computers to transfer and share files with each other or devices such as printers within a system. Cybersecurity experts are evaluating whether WannaCry exploited an unpatched or out-of-date flaw to expose a network’s 445 pathway to the internet and then use that to infect the network. According to reports, Russia was hit hardest, owing primarily to the case that as much as 65 percent of software is unlicensed or pirated, and as such, doesn’t receive security updates.
An alternative scenario being evaluated is that an employee connected a company device to an unsecured network, perhaps at a coffee shop, café etc., which allowed the ransomware onto the device. Then when that device was reconnected to a company network the ransomware transferred onto the network.
Be Aware and Prepare
Organizations large and small can take a number of actions to help prevent ransomware and other cyber threats from taking hold within a network. CREATe recommends considering an approach based on addressing “people, processes and technology.”
Insiders – ranging from employees to contractors, consultants and others with access to corporate networks – can pose the greatest cyber threat to an organization. As such, experts from PwC, WSJ, FBI, Protiviti and EY all recommend cultivating an environment of cybersecurity awareness across an enterprise. Employees should receive training regarding phishing and other cyber risk concerns. The NIST Cybersecurity Framework suggests that it may be useful to have posters, emails and other communications about particular cyber threats or simply to remind employees of best practices.
Furthermore, NIST, the FBI, and others also recommend incidence response training for employees. This training can range from knowing where to report a suspected hack, to specialized instruction in system recovery and restoration for those individuals who will be involved in responding to a hack.
As noted in a CREATe whitepaper about protecting trade secrets and other confidential information from cyber threats, organizations should have processes in place to mitigate risks. These range from a way to determine ‘access control’ to sensitive information by insiders; protocols for managing cybersecurity when employees join or leave an organization; and other processes such as conducting a ‘root-cause analysis’ after a lapse occurs.
Furthermore, in the above-mentioned articles in the WSJ, and by PwC, EY, Protiviti, and an additional article by Krebs-on-Security — all recommend that individuals, small business owners, and organizations back up their data. Krebs even recommends backing it up to a cloud-based service in addition to an external hard-drive. Notably, many of these experts emphasized that even the best protected networks are vulnerable if a user unwittingly opens an infected email.
Every expert has strongly recommended that all software programs should be updated to the latest versions and have the most recently released patches installed. Protiviti recommends that once all devices are up to date, anything that does not have patches or updates available should be segmented from the network to avoid possible future incidents.
An inventory of all devices should also be taken and updated regularly since it is difficult to update and recover files from devices that an organization doesn’t know it owns. EY, NIST and PwC all recommend having contingency plans in place to react to cyber threat situations as well as to recover data, an action which may simply be to reload backed-up files.
None of the experts recommend paying the ransom in the event of a compromised network. There is no guarantee that the hacker will decrypt the files and there is also the potential for the hacker to lose the ability to decrypt the files.
The site nomoreransom.com has a wealth of information about ransomware. It is available in 13 languages and has partnerships with over a dozen law enforcement agencies across the globe. This resource was launched in late 2016 in a partnership between Kaspersky, Intel Security, Europol and Dutch police, all of whom remain active partners. In the event of a suspected ransomware attack the site has a tool to help the user determine what ransomware it is and if the site has a key to unlock the user’s files.
Visit CREATe.org/Resources for additional whitepapers and guides about cybersecurity and the protection of trade secrets and other confidential corporate information.