You may have heard about WannaCry, a Ransomware that impacted countries worldwide with suffer and damage in 2017. The harm did not only reach the individuals but also caused businesses and hospitals to shut down their operations all over Europe.
In this article, we will dive into the reason why WannaCry became so widely impacted disaster and the measures that can be learned from.
WannaCry is a type of Ransomware that affected more than 320,000 computers throughout over 150 countries within a few days. Based on the speed of the spread and damage that was caused, it is known to be one of the largest ransomware attacks in history. Governments and many public institutions were under panic and chaos due to cyber disruption.
What made WannaCry much dangerous is its new infection strategy. Ordinary ransomware will trigger infection through a malicious website or email and only demand ransom for a single target per attack. However, WannaCry evolved its attack tactics by spreading the access lockdown to the entire network associated computers in order to request for a much higher ransom payment.
How does WannaCry Work?
Once WannaCry infects your computer, data stored on the computer will become inaccessible. The scope of access limitation impact can be a single file, storage hard drive, or even the entire computer. Data becomes inaccessible due to encryption strategy which requires a complex password to decrypt.
After the lock is applied, WannaCry will display a screen with instructions for paying the cryptocurrency ransom in exchange for releasing the lock. Although the message will alert victims that data will be exposed or deleted if the ransom was not paid by the specified deadline, there is no guarantee that paying the ransom will release the access limits.
What Caused the WannaCry Outbreak?
WannaCry evolved its threat quality by combining an infection technique called Computer Worms. The worm program is designed to automatically replicate itself and spread to other computers through a connected network. As a result, WannaCry infection does not only damage one computer but all computers that are network associated.
Furthermore, WannaCry took advantage of the Microsoft Windows vulnerability to dramatically increase its infection rate. The Windows OS vulnerability allowed WannaCry to trigger further spreads without users' actions such as website access, grant download, and email view.
Progress Overview of WannaCry Outbreak
Security experts say that the WannaCry infection outbreak could have been prevented with proper measures. In fact, the Windows vulnerabilities that enhanced the WannaCry outbreak were considered dangerous before the attack and security patches were released in advance.
Let's look into the following WannaCry spread progression.
September 2016: Microsoft discovered a vulnerability in its Server Message Block version 1 (SMBv1) system and alerted the users with an instruction to disable SMBv1.
February 2017: The first incident of SMBv1 targeted ransomware attack was announced in South Korea. Lack of threat awareness suppressed the report to spread, resulting news to only reach the local community.
March 2017: Microsoft released the patch to fix Windows OS vulnerability caused by SMBv1. The vulnerability turned out to be extremely dangerous to the point that exploit will allow malicious code execution through unauthorized remote control.
May 2017: WannaCry impacted Asia. In just 24 hours, more than 300,000 devices were affected throughout over 150 countries. Recognized as one of the largest cyberattacks ever.
Awareness to Learn from WannaCry Outbreak
The report shows that although the Windows OS vulnerability was announced, the corresponding security patch was not released for six months. During this period of time, the issue is categorized as zero-day vulnerability giving hackers time to prepare for a dedicated attack strategy.
The term "Zero-Day Vulnerability" applies to vulnerabilities that have not been addressed with a proper solution. Devices that have zero-day vulnerability have a much higher chance to be harmed because of the publicly known security hole.
Some users claim that zero-day vulnerability is not a critical issue if the device is not directly accessible from the internet. However, WannaCry activity shows that infection can still spread under the environment closed from the public. This brings us to the following measures.
Maintain Latest Updates and Security Patches
Performing version updates is not everyone's favor, may require stopping what you are doing, review the update details, and restart the program if necessary. However, applying these updates may save your day.
Version and security updates are a critically important procedure to protect computers from threat attacks. Even if malware was introduced from another route, these updates may help protect confidential information such as network files and online account credentials.
Responsibility of Security Administrator
WannaCry incident clearly showed that even if the vulnerability is acknowledged the risk of getting attacked still remains. As an administrator, any security updates should be properly announced to the team and organized using the procedure approach.
Drop the idea of thinking that the internal network environment is safe because WannaCry specializes in infecting computers through closed communication. Apply minimum permission to any internal network unless higher access grant is necessary to perform operations. Update or replace outdated OS devices to maintain the latest security protection.
Victims of WannaCry Attacks
German railway stations got infected by WannaCry causing panic to the public. Many station monitors that show the train time tables to the passengers became unavailable due to displaying the WannaCry ransom demand screen.
In the UK, the national insurance institutions were under attack by WannaCry causing over 40 medical facilities to become dysfunctional. Technology shutdown affected operation in many ways including lack of access to patient profile, the inability of medical examination, and delay in performing surgery. The report describes that the cause may be due to the fact that many of the infected hospitals were still using Windows XP, which is no longer supported.
More than 20,000 state-owned gas stations could not operate the electric payment. Victims were forced to use cash until the system was recovered. The misconception of believing "Bitcoin is a Virus" spread throughout the community.
The global shipping company, FedEx, announced its WannaCry attack incident in 2017. FedEx reported that total financial damage caused by Ransomware exceeded $300 million.
Measures to Prevent WannaCry Harms
The proven solution to prevent infection from ransomware such as WannaCry is by frequently applying version and security patch updates to fix infection vulnerabilities. However, considering the outbreak incident in 2017, updating each and all computers' OS and patches could be challenging. Organizations should not only manage computers but also implement a security system to strategically apply defense measures.
Keep OS, Applications and Browser Updated
One of the main reasons that caused the WannaCry breakout was the zero-day vulnerability discovered on Windows computers. The fact that millions of computers were attacked even after the patch was released indicates the low ratio of people who actually applies the update.
In another word, the infections could have been prevented if security updates were properly performed. Make sure to keep your computer OS up to date, as well as any installed application and web browsers.
WannaCry specializes in making files unusable by encrypting data. By regularly performing file backups to external storage, victims will be able to recover data as long as backups are pristine.
Installing an antimalware software with multi-layer protection feature can provide fundamental security to computers. While conventional antimalware software focuses on malware detection, recent security techniques can additionally monitor software behaviors during the operation to detect any unauthorized activities.