The ransomeware attack called “Wannacry” has effectively shut down many businesses, and cost tons of money. What can we learn from this attack?
The Fallout and Lessons from WannaCry
Virtualization Review – By Trevor Pott – “On May 12, 2017, a new strain of ransomware called WannaCry began circling the globe. This ransomware attack has proven to be efficient and effective, earning WannaCry worldwide media coverage. Unfortunately, attempts to explain the details of the attack have not always been accurate.
My touchstone for discussing media inaccuracies is The New York Times article ‘Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool.’ In this article, The New York Times tries to convey the complexity of the WannaCry ransomware event to a non-technical audience.
The New York Times is one of the most important publications in the world. What it writes matters, and it helps set the tone for media reporting around the world. I feel that there are nuances missed in the reporting that are important, especially if we are to finally engage in the global discussion about IT security that we’ve needed to have for more than a decade.
The most important thing to understand about the WannaCry ransomware is that little about it is novel. WannaCry is not some technological terror lovingly crafted by a mad genius. Instead, it is an assemblage of parts, each of which are reasonably mundane, simple and well-tested.
The WannaCry ransomware incorporates numerous elements to assist its spread. The fact that it’s largely built of previously tested components has allowed its authors to regularly adapt the ransomware to overcome efforts to eliminate it. This sort of cat-and-mouse game is a normal and everyday part of the IT security world.
For ransomware to work, three basic elements are required. First, there must be a mechanism of initial infection. Second, there must be an encryption mechanism that prevents users from accessing their files. Third, there must be a demand for payment along with a means of making payment. Traditionally, ransomware authors will decrypt files if payment is made; however, in recent months there have been increasing strains of ransomware where payment does not result in decryption of files.
WannaCry adds a fourth element to the traditional ransomware cocktail: It uses a Windows vulnerability to spread beyond the initial infected computer. The result of this is that on improperly designed or improperly secured networks, one infected computer can infect many others.
WannaCry Detection and Prevention
WannaCry’s mechanism of initial infection relies on what’s known as phishing. In essence, these are scam e-mails that either contain a file that can infect your computer or entice you to click on links in the e-mail to take you to a Web site that will infect your computer. The most common versions of WannaCry are reported to use an encrypted file contained in a phishing e-mail.
Some media reports claim that the use of encrypted files makes WannaCry undetectable. This is false. Encrypted files of this nature are detectable, even with freely available e-mail filtering applications such as the eFa project’s Email Filter Appliance (hence, eFa).
These sorts of e-mail filters can be set to block all mail with encrypted files, block it only from likely spam sources or only allow encrypted mail from known trusted sources. These scanners can also be configured to allow end users to access the encrypted files, but only after reading a warning about the potential dangers. They can also be configured to send this type of mail to a systems administrator for assessment before release.
While open source solutions like the one made available by the eFa Project are somewhat cumbersome to deploy and use, commercially supported e-mail filters exist that are far more friendly. Many of today’s e-mail filtering solutions are perfectly capable of blocking even unknown threats.
That WannaCry malware even made it into user mailboxes to be opened means that e-mail administrators made a choice to allow these types of files through without adequate protections. Alternately, e-mail administrators were inadequately resourced and relying on e-mail filtering technologies that are years — or even decades — old.
Solutions also exist to ensure that malicious e-mails, once opened, cannot infect vulnerable computers. Bromium is considered the industry leader in this area, and had its technology been deployed on relevant networks, WannaCry wouldn’t have made headlines.
Modern IT security procedures and solutions, including network microsegmentation, core resource isolation and automated incident response, could each have been used to prevent the spread of infection. Had networks been properly designed, resourced and secured, any systems that did manage to become infected would only have been able to infect a limited number of others.
The technologies needed to prevent, detect and contain these outbreaks are new, but they’re no longer the bleeding edge. They are well within the capabilities of health care, government and enterprise IT departments.
Media reports typically focus on the patching of OSes and applications. Blame is laid on patching regimens because WannaCry used a previously patched Windows vulnerability to spread once established on a network. This is placing the blame where it doesn’t belong.
Even if an organization were to be keep all computers fully patched, this would not make those computers secure. While patching is important, perpetuating the idea that it will somehow save us is dangerous. There are dozens, if not hundreds, of unpatched vulnerabilities in the Windows OS alone. That doesn’t include the various applications that run on top of Windows.
Governments and hackers alike hoard these ‘zero-day’ vulnerabilities for use in espionage and cyber warfare. Zero-day vulnerabilities are considered precious, expensive knowledge and are used sparingly, but every now and again they find their way into some bit of malware and infect everyday systems.
Proper IT security no longer relies solely on patching computers in order to keep networks safe. ‘Eggshell security,’ in which a network has a relatively well-defended perimeter but is undefended inside that barrier, hasn’t been considered adequate for more than a decade.
Systems administrators have been encouraged for years to consider every single computer on a network as unpatched and vulnerable, and design their network accordingly. WannaCry isn’t the first piece of malware to spread from one initial point of infection across a network, and it won’t be the last.
Patching Things Up
Some media outlets have reported that large-scale patching against WannaCry isn’t possible. This is false. Patching computers in an automated fashion isn’t only possible, it’s considered one of the most basic activities a systems administrator engages in.
Windows computers can have their patches managed with Windows Server Update Services, a free feature in modern Windows Server OSes. Paid options made available by Microsoft include System Center Configuration Manager for larger deployments and Intune for smaller deployments.
Patch management isn’t limited to Windows. Linux has numerous patch management options, with Red Hat’s Satellite being the most popular. For those with mixed environments, an entire industry called ‘endpoint management’ has emerged around patching and securing computers. There are hundreds of vendors selling products to patch and manage Windows, Linux and smartphones.
Patching, however, isn’t straightforward. There’s a lot of oversimplification occurring in media reporting regarding the WannaCry ransomware attack. Systems administrators who hadn’t yet patched their systems had not necessarily ignored patches or warnings from Microsoft. Nor were they necessarily running unsupported software, even where Windows XP was still in use.
Patches themselves can — and sometimes do — cause computers to malfunction. A computer may work fine for years, but when a patch is applied some critical component of either the OS or an application ceases to function. Microsoft has had a number of these over the years, with several in the past several months affecting large enough numbers of people to gain media attention.
Systems administrators, especially those guarding life-critical IT, must test patches before deployment to ensure that patches don’t break anything. Unfortunately, Microsoft has jettisoned its traditional Security Bulletins, and has made it increasingly difficult to learn what patches are supposed to do.”