5th anniversary of WannaCry: What we have learned
Five years ago this month, the WannaCry ransomware attack encrypted an estimated 230,000 systems running Windows in private and public sector organizations globally, including high-profile companies like FedEx, the NHS and Honda. The financial impact was substantial; Symantec estimated WannaCry caused about $4 billion in losses
The malware spread through an exploit developed by the U.S. National Security Agency called EternalBlue, which targeted a critical remote code execution vulnerability (MS17-010) in Microsoft’s Server Message Block 1.0 (SMBv1) file-sharing protocol. Once WannaCry installed itself on a system, it rapidly spread to other devices running a vulnerable SMB version. Most were older Windows systems, running on Windows Vista, Windows 7, and Windows 8.1.
Even though Microsoft had issued a patch for the SMB flaw over a month before WannaCry began proliferating, the malware still wreaked so much havoc because millions of unpatched computers were unpatched.
The legacy of WannaCry is that it not only shone a spotlight on ransomware and the key shortcomings in public and private sector infrastructure security, but that it continues to be one of the most challenging security issues organizations face today. Although they may be somewhat more diligent about updating software and remediating vulnerabilities, ransomware attacks are like the little engine that could—they continue to make headlines and severely disrupt businesses and operations. In fact, research from Verizon this week, which analyzed 23,896 security incidents, finds it is only growing. The 2022 Verizon Data Breach Investigations Report (DBIR) found that ransomware events in conjunction with breaches increased 13% in the past year.
In February, the Cybersecurity and Infrastructure Security Agency reported that it has observed ransomware incidents against 14 of the 16 U.S. critical infrastructure sectors. CISA also said it has seen an “increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally.”
WannaCry ransomware attacks have also increased by 53% since January 2021. Payments also continue to go up. The average payment from 2021 cases rose to $541,010, which was 78% higher than the previous year.
Ransomware attacks have changed. Many are now highly targeted and involve both hands-on tactics and automation for maximum effectiveness. Because tools are increasingly multiplatform, they can be used to attack different operating systems.
WannaCry continues to exploit how the Server Message Block protocol, which allows network nodes to communicate, operates in Windows. There are still challenges with patching and vulnerability management systems, as well as threat detection, remediation, and response practices.
And the original EternalBlue exploit is still being used by attackers to deploy WannaCry and other malware onto enterprise systems. Unfortunately, many organizations still have not updated to MS17-010, leaving their SMB installations susceptible to EternalBlue. Continuing to use SMBv1 poses a huge risk. It becomes a lot easier for attackers to try to find and exploit these systems.
How A Dynamic SBOM Helps You Stay On Top of Vulnerabilities
In addition to the growing ransomware problem, the software attack surface continues to expand through software innovation. Millions of lines of code and a rising number of software components from a broad range of sources means elevated risk. Today’s software environment includes components from packages, images, libraries and files, including third-party and open source components.In this increasingly complex environment that’s difficult to manage, and threat actors can leverage the growing software attack surface and find new threat vectors.
To mitigate software security threats, security leaders and teams need to truly understand their attack surface at any given time; know which components of the attack surface are vulnerable and exploitable; understand their supply chain risk; have the critical information they need to prioritize software risks; and be positioned to mitigate risks quickly.
The way to achieve these objectives is by deploying dynamic software bill of materials (SBOM). SBOMs, if they are truly dynamic, provide businesses with complete and real-time transparency across the entire software lifecycle and stack.
That WannaCry and ransomware are still at the forefront five years later shows just how difficult it is to keep on top of security hygiene practices. Yes, it was a wakeup call for organizations to start – or be more diligent about – patching systems. But even if IT prioritize operating system patching, it may be at the expense of failing to patch critical applications such as Java, Office, and Adobe programs that are installed throughout the enterprise environment. They simply cannot be ignored or forgotten about. A dynamic SBOM gives you the visibility you need to know where you are vulnerable.
History repeats itself. The five-year anniversary of WannaCry is an appropriate time to go over cybersecurity measures that enterprises should be doing to prevent widespread attacks, starting with software patching and deploying an SBOM.
A Dynamic SBOM is Essential to Proactive Security
Remember that ransomware is no longer just a security risk, it’s a business risk. Attacks are not just rising, but 20% of the costs associated with all incidents were attributed to brand reputation damage according to a recent Accenture report.
Just as organizations are digitally transforming their businesses, incident response plans need to evolve as well. IT must enforce the least privilege around Active Directory and other key systems. But it all starts with a change in mindset that requires leaders to be proactive and prepared — not just reactive.
“Organizations should adjust mindsets around the role of security following a ransomware event, the Accenture report notes. “Existing recovery strategies that are tuned to traditional business continuity plans are no longer enough. By understanding—and preparing for—the implications of ransomware across the whole organization, business leaders can recover more quickly when an attack happens.”