By Marci Bracco Cain, Digital Editor, Cybersecurity News and Views —
WannaCry attacked over 300,000 of the world’s computers back on May 12th, but the damage is still pouring in. As of last week, deposits are still being made into the Bitcoin accounts associated with the attack, according to Elliptic, a Bitcoin watchdog that is tracking the ransom payments.
And we are far from done yet. In fact, as you read this, the hackers behind WannaCry are building on their early success and crafting a more resistant and improved version to leverage the weaknesses and vulnerabilities discovered by the original attack.
Steve King, CTO of Netswitch and well known cybersecurity expert, believes that the first infection is just a probe and will become the template for a refined string of future attacks.
“We know for sure that the bad guys are already working on the next WannaCry. You’ll see WannaCry 2.0, 3.0 and continuously innovative versions as the year goes on.” King said.
The Worst Kind of Contagion
This most recent version of WannaCry followed earlier but less publicized attempts back in March and April was so effective and spread so quickly because of a sophisticated exploit that conventional perimeter defense systems were unable to detect. This leaked exploit of the Windows operating systems, known as EternalBlue, was created by the U.S.’s National Security Agency and publicized by the Shadow Brokers.
It successfully leveraged the large and complex supply chains of organizations like FedEx and the U.K.’s national health care network. One estimate released shortly after the attack by cyber risk modeling firm Cyence, predicted the global cost could be as high as US$4 billion.
King says it is likely that there are an equal number of users and businesses who have no idea they are infected, and that in many computers and networks the virus is lying dormant, collecting information and waiting to exploit a weakness.
“Much of the intent of this virus was about seeding networks for subsequent attacks six months from now,” King said.
Microsoft released a patch for the vulnerabilities in its operating systems—those users who installed that patch before the May 12 attack began should be safe, but those who haven’t done so remain vulnerable. The cybersecurity hygiene that all companies should be following would have included regular patching of corporate software and devices, though many companies do not do this on a rigorous basis. And, home computers are another matter entirely.
For those who access corporate networks from home, failing to apply software patches can cause a contagion to spread from the home setting to the office in a hurry. Most home computer users, even those whose jobs require it at work, do not regularly apply security updates. As a consequence, the risk of WannaCry and other viruses infecting corporate networks through home computers is extraordinary.
Bungling Perpetrators or Expert Cybercriminals
Despite the catastrophic damage this attack has caused, the missteps of the hackers have received a lot of attention. The minimal monetary success and the apparent blunders of the attackers have prompted some cybersecurity experts to characterize this virus as the work of rank amateurs using poor distribution methods or an effort by politically motivated hackers who simply wanted to cause mayhem.
King disagrees, saying that the speed with which the virus was spread and the pervasive nature of the code displayed a highly sophisticated level of software and network smarts.
“Somebody clearly knew what they were doing, and the way in which the exploit kit was modified showed some impressive expertise,” he said. “These attackers understood evasion and detection and they were all about financial gain. This attack was clearly a smoke-screen to lay cover for a much larger cyber-crime down the road.”
Given the nature and the potential of this virus to spread to new networks, learn vulnerabilities in security systems and adapt to tools designed to kill it, global businesses and institutions could be in store for some serious catastrophe in the next few months.
How to Combat Future Versions
The world of cybersecurity defense has changed dramatically just in the last 24 months. Modern malware is now almost exclusively polymorphic and designed in such a way as to spread immediately upon intrusion into a network, infecting every sub-net and system it encounters in near real-time speed.
Effective defense systems have to be able to respond to these threats in real time and take on an active reconnaissance posture to seek out these attacks during the infiltration phase. We now have defense systems that have applied artificial intelligence and advanced machine learning techniques that are welltrained to deal with metamorphic threats.
As of today, the vast majority of businesses and institutions have not adopted nor installed these systems and they remain at high risk. The risk is exacerbated further by targets that are increasingly involved with life or death outcomes like hospitals and medical centers. All of the new forms of ransomware and extortionware will increasingly be aimed at high-leverage opportunities like insulin pumps, defibrillators, drug delivery systems and operating room robotics.
In the future, these strains will also be targeted at sensitive documents and email with the intention of embarrassing key executives and causing significant business disruption both internally and externally.
King thinks there will be a surge in the volume and frequency of extortion-related attacks.
King recommends leveraging the latest generation of AI technology in Network Behavioral Analytics and Threat Detection that will enable organizations to defend their networks at the first sign of threat. These technologies are heavily invested in threat intelligence and predictive reconnaissance and have proven to detect even the most advanced and rapidly morphing strains in near real-time and then dispose of them before they had a chance to become a breach.
While the WannaCry ransomware wreaked havoc across the globe, there was nothing subtle about it. All of the signs of highly abnormal behavior on the networks were there, but the pace of the attack was far beyond the capacity of human teams contain it. Attackers no longer resort to the same generic attacks they have always used. To break into networks, they are thinking outside the box, and defenders need to do the same.
New strains are coming soon, and organizations need to arm themselves now before it is too late.
For more information about WannaCry, new strains of malware and advanced methods to protect your business and assets from the next cyberattack, please contact us at www.netswitch.net