WannaCry, or go back to the future

Our connected world is experiencing a major new crisis since the sensational arrival of WannaCry ransomware, a.k.a WannaCrypt, WanaCrypt0r or WCry. We had grown accustomed to living with the threat of infamous ransomware for several months. Many organizations had managed to slip under the radar, while others had taken preventive measures by raising user awareness or by deploying next-generation technologies. WannaCry, however, is armed with a new weapon that greatly increases its potential for diffusion and harm. This next-generation malware is able to spread automatically, transparently, and without any human intervention. Once the malware infects a machine on a network – introduced via an email attachment for example – it replicates almost instantly on all other network stations that are insufficiently protected.

So what’s new? Nothing really, unfortunately.

I can’t help but draw a parallel with a similar chaotic experience from the past. Nearly 10 years ago, the Conficker worm forced many companies and organizations to stop certain activities: computer networks had to be shut down, points of sale closed, logistical chains interrupted, and even military aircraft had to be grounded. This worm, which kept taking on new forms, spread like wildfire and infected several million machines around the world. At the time, I was working in a cybersecurity services and consulting business. For several weeks, we helped our customers rid themselves of this worm, and these efforts were costly in terms of energy, resources, and time – including nights and weekends.
At the end of this battle, the trauma was so intense that the companies were determined never to relive such an experience. “Never again” became the mantra of countless leaders who finally realized the importance of cyber risks to their business activities.

And yet, ten years later, one might say that little has changed since the same malicious recipes work just as effectively as they did in the past. Conficker and WannaCry use the same propagation method: they remotely exploit a critical Microsoft vulnerability via SMB and NetBIOS services. In both cases, a patch was already available before the malware was released. Ten years later, the same techniques continue to wreak havoc on companies. I could not find the table from SANS Internet Storm Center representing the internet’s use of the SMB port (TCP/445) in 2008, similar to that of May 2017 (below). But I distinctly remember the traffic monitoring tools showing the same peak usage of the SMB service during the Conficker propagation phases.

Solutions that could have completely changed the course of history

The most unfortunate thing in WannaCry’s case is that the situation could have been avoided or at least largely mitigated: two months ago, Microsoft released a fix for the SMB vulnerability that was exploited to spread the malware. Many experts had issued alerts about how critical this vulnerability was, even explicitly referring to Conficker.
A month later, the group of hackers known as the Shadow Brokers even uploaded code stolen from the NSA to exploit the vulnerability. The impending attack was only more evident and the media had raised this possibility.
Companies and organizations had ample time to apply the patch that would have relegated WannaCry to the rank of “simple” ransomware that we have to deal with on a daily basis.
At the same time, the use of behavioral technologies, such as Stormshield Endpoint Security, provide a real response to threats similar to WannaCry. These proactive, signature-free approach blocks vulnerabilities from being exploited, even when they are unknown, or prevents malicious actions such as illegitimate file encryption.
For systems running Windows XP or Windows 2000 that are no longer supported and can no longer be updated, Stormshield Endpoint Security provides effective, proactive protection that lasts. These assets, which are often critical, require special attention.

A better understanding of security issues should prevent history from endlessly repeating itself.

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]