A Week of WannaCry: the Impact of Ransomware & How Small Businesses Can Protect Themselves

Screen Shot 2017-05-18 at 3.48.27 PM

On May 12, cyber security professionals and many businesses around the world went into a frenzy. While both businesses and security professionals are familiar with—and currently working diligently to counter—the newest iterations of encrypting ransomware, a brand-new virus, WannaCry, created unprecedented shockwaves.

How WannaCry Spread Across the Globe

Like many other ransomware and other viruses in general, WannaCry infects system through spear phishing techniques. Typically this happens through infected emails that contain files hosting the virus. Once onto a system (Microsoft Windows only, in this case), WannaCry uses a system exploit to access and encrypt both local and networked files.

What made WannaCry unique, however, was just how quickly it spread. Between May 12 and May 15, WannaCry infected over 200,000 computers and systems, making it the fastest-spreading encrypting ransomware to date. Notably, WannaCry hit National Health Service computers in the UK, causing significant disruptions to healthcare providers in that country and, as of May 17th, had also infected hospital computer systems in the US. WannaCry has impacted computer systems in over 150 countries.

What brought attention to WannaCry in particular, outside of its fast spread and healthcare interruptions, is the particular exploit tools that it uses. Of the two tools used (DoubleStar and EternalBlue) a lot of attention focused on the EternalBlue exploit tool. This tool specifically was a stolen exploit tool developed by the National Security Agency (NSA). Given the EternalBlue tool was designed to exploit a vulnerability in Microsoft Windows, the company was quick to criticize and place blame for the effectivenewss of the WannaCry virus at the NSA’s feet.

In a blog post, Microsoft President and Chief Legal Officer Brad Smith wrote, “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”

As the WannaCry story continues to develop, some experts have pointed to a distinct possibility that North Korea is behind the attacks. According to the New York Times, evidence for this comes from the fact that the design of the virus is similar to attacks made against Sony Entertainment prior to the release of its controversial comedy film “The Interview,” which has as its main plot the assassination of North Korean leader Kim Jong-un. Cyber security company Symantec was able to source the Sony Entertainment attack back to North Korea, and the company has stated that its current investigations of an early WannaCry variant shows some similarities.

Low Effectiveness Given Reach and Potential

As effective as WannaCry has been at infecting computers, however, its actual success as ransomware has been less than stellar. To date, the ransomware has only managed to extract around $60,000 from victims in the several days since the attack launched. By comparison, one of the most successful ransomware viruses, Cryptolocker, infected fewer than 250,000 machines in roughly a year’s time from its release to eventual isolation, but managed to extract around $27 million in ransom payments.

Most encrypting ransomware now demand payment in Bitcoin, a secure digital payment method that allows cyber criminals to hide their tracks and avoid having their identity traced back via the payments.

WannaCry’s effectiveness was also significantly hampered by several flaws in its design. Shortly after its release, a 22-year-old cyber security professional and blogger discovered a kill switch written into the virus’s code. That kill switch checked to see whether a gibberish website existed online and, if not, proceeded with encryption. By registering the gibberish website, the original WannaCry variant was severely slowed. New variants arose with a different (quickly registered) kill switch, and without the kill switch.

What this particular issue with WannaCry reveals is just how far reaching and dangerous encrypting ransomware have become, and businesses are more commonly targets of these viruses. Although many companies that get infected choose to pay up, many others do not, resulting in lost data or expensive data recovery.

How Can Small Businesses Protect Themselves?

It’s increasingly important for businesses to learn how to protect themselves against this type of eventuality. One method is to ensure the company utilizes solid, effective data backup. Whether online cloud backup or on-site physical backup, such systems are often necessary to ensure continuance after an attack. Additionally, it’s important for businesses to have an effective incident response plan in place in case an attack occurs. Those plans should also be updated regularly to meet the changing needs and types of disasters that can happen.

Company security and IT professionals should also ensure systems are updated with the latest system patches and that effective malware prevention software is installed on company systems. In the case of WannaCry, the system exploit was patched over a month and a half before the WannaCry virus was released. The only systems that were impacted were those owned by companies and individuals who had failed to install the patch in a timely manner.

Finally, the issue of losing both client and proprietary data speaks volumes to the vast importance of cyber insurance. The monetary value of data only increases every year. The loss of such data due to a cyber attack can result in financial losses at best and, at worst, the complete loss of the business due to the high cost of the disaster. With encrypting ransomware like WannaCry growing more common and more sophisticated, every method a company can use to protect its data and finances should be considered.

Discussions — One Response

  • Www.Linux.Org May 26, 2017 on 10:23 am

    Howdy, i read your blog occasionally and i own a sikilar one and i was just wondering if you get a lot of
    spam responses? If so how do you reduce it, any
    plugin or anything youu can suggest? I get so much lately it’s driving me mad so any support is
    very mucch appreciated.

Sorry, but commenting has been disabled.