WannaCry, Petya and Copycat Ransomware Expose Good History Lessons for Small Business and Enterprise Security

On May 12, 2017, the now infamous WannaCry ransomware burst onto the worldwide scene. WannaCry infected over 200,000 systems and 150 countries in just 3 days.

NHS hospitals in the UK operations ground to a halt. Petya malware followed suit soon afterwards by targeting and ransacking systems in Ukraine, Russia, and Europe before spreading to other countries. 

Unlucky victims exposed to such attacks could have been prevented.

Attacks such as these seem so sophisticated and impossible to stop. The headlines reported how WannaCry and Petya were developed from leaked hacker tools and exploit code, such as Eternal Blue. These tools were stolen from the arsenal of the National Security Agency (NSA). 

Hackers then launched ominous attacks on unsuspecting victims, using the ransomware to encrypt files on systems making them paper weights until the victims agree to pay a ransom.

Rinse and repeat.

It is no surprise that history continues to repeat itself in the world of Cyber Security. Most of these exploits could have easily been prevented if organizations of all sizes would place higher urgency and priority on basic security hygiene and keeping their technology up to date.

What lessons have we learned?

A number of the highest priority safeguards are emphasized in this article. 
 

Update and patch your systems regularly

The critical Microsoft patch (MS17-010) was issued in March 14, 2017 to fix a known SMB or file sharing protocol bug, nearly two months before the WannaCry outbreak. This past week, pro-ISIS hackers defaced a number of government websites by exploiting a DNN content management system vulnerability that was patched over a year ago.

By just spending a few minutes a day checking the internet for vendor software updates (or reading your email if you’ve signed up for alerts), you can easily spot new threats and fixes needed in a timely manner. Use this activity as reminder to patch your systems as soon as updates are available.

We have made it even easier with our Securezoo Cybersecurity Threat Center, a free resource for small businesses and security pros to keep up on vendor security updates, vulnerabilities and threats. To add, data breach incidents can also help organizations with lessons learned to prevent similar fate in the future.

Feel free to bookmark and just spend a minute or two reviewing as part of your daily routine.
 

Retire legacy OS and systems

Still running Windows 7, Windows Server 2008, Windows XP, Windows Server 2008 or other legacy operating systems (OS)?

It goes without saying you should have retired Windows XP and Windows Server 2003 a long time ago as Microsoft dropped support for them and no longer provides patches.

As of January 14, 2020, Microsoft has ended support for Windows 7 and multiple versions of Windows Server 2008 products.

Legacy unpatched systems are easy targets for hackers. With that said, Microsoft did buck the trend in 2017, given WannaCry got so bad, by providing a “one time” patch to fix XP systems. However, don’t count on Microsoft or other vendors to be so generous in the future.

Did you know that Windows 7 PCs were a much higher vector of attack used to spread WannaCry? Although legacy OS continue to be targeted, there are a much higher number of Win7 systems and attack targets.

If you are still running Windows 7 in your business, you need to upgrade to Windows 10 and take advantage of automatic updates to ensure patches are applied by your system as soon as they come out.  

If you can afford it, move off of older, unsupported workstation or server hardware as well. This will help improve your systems availability and also make it easier to support future OS upgrades to keep your systems current.
 

Train your staff on the cyber dangers

To add, you should also have conversations with your staff on the dangers to your business from such cyber attacks, like WannaCry and Petya.

The more real world examples you can share, the more relevant you can make it to your business on how to prepare for and prevent the next attack.

For example, if you are in the healthcare business, make note of past ransomware attacks like NHS attacks. If you’re in the travel business, take note of more recent Travelex ransomware attacks.

If you work in the education sector, review similar stories such as the major UK university ransomware attack. Likewise, if you’re in the energy business, take note of recent Industroyer attacks.

Remind your employees not to click on links or open attachments from untrusted sources from outside the company. Such “phishing” messages could contain malware or bogus links used to trick your users into visiting fake websites designed to steal your credentials or download malware to your systems.

Be aware that it’s not just malware that cyber criminals are after either.

For example, if you’re in the business of transferring money to other institutions (such as banks and real estate entities), be wary of business email compromise (BEC) attacks. If you receive a request via email to wire funds from your attorney or other trusted person, pick up the phone and talk to the requester. 

Also, understand that malicious hackers love to use social engineering tricks in the tone of their emails, such as using a sense of urgency, excitement or fear to trick your employees into opening up attachments in email.

Don’t fall for the scams. 

“Least privilege

Make sure your employees are not logged into their systems with administrator accounts that have full system privileges.

Each user should have a standard login account with minimal privileges, such as that required to do their jobs (e.g., reading email, running company and Office applications, etc.) and no more. This is also referred to as “least privilege.”

If you need new applications installed or system configuration changes, have your IT admin(s) or trusted staff login and make the changes. Use admin accounts only when they are needed.

To reduce dependency on admin accounts, you may either update your systems automatically (such as how Windows 10 update works) or deploy patches via a centralized patch management system. If you can’t afford management systems, ensure your trusted admin or manager performs the updates when patches are needed on a regular basis.

Don’t forget about third party app patches as well, such as Java, Adobe and the like!

Remember that often times malware, like WannaCry or Petya, is designed to exploit local or remote vulnerabilities by using the same privileges as the user logged in.

By implementing a “least privilege” model, you reduce the attack surface and make it harder for hackers to compromise your systems. 

Backup your data and have a recovery plan

As stated previously, ransomware is most effective after it strikes victims with no data backups.

If your files are critical to your business, are encrypted and you can’t access them, you may end up between a rock and a hard place. Do you pay the ransom or potentially suffer irreversible harm such as go out of business?

For local systems, ensure you have a scheduled routine to backup your data to external tape, USB drive or other offline storage in the event of disaster such as ransomware, fire or natural disaster.

Have multiple backups too. If you use tape or another removable media to backup data in your office, take backups offsite to secure location periodically as well. A fire or theft won’t help you to recover from local backup stores.

Cloud backup solutions are also a good solution for backups for small businesses, but don’t completely rely just on cloud backups in the event of disaster. By having offline backups, organizations can add yet another layer of protection in the event your cloud account gets compromised.

Or worst yet, your data gets wiped by hackers or accidentally by employees. Yes, employees do make mistakes too.   

You can also document good procedures and step-by-step process your employees can recover services and data in the event of natural or man-made disaster such as the next ransomware attack. See good tips on both a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). At the very least, have a DRP for your most critical applications to limit the downtime of your business operations and quickly recover.

Additional protections

To mitigate unauthorized access threats to your cloud resources, you should also protect your cloud accounts with two factor authentication (2FA) at all times.

See a good example of a cloud-based company who got hacked and lost all their customer’s data and unfortunately went out of business. 

Finally, other more advanced controls to help mitigate ransomware attacks include user web proxies (with web content filtering and ability to block access to higher risk websites), application “white listing” (such as Beyond Trust’s PowerBroker Application Control or Microsoft’s Device Guard and AppLocker) and network firewalls, to name just a few.

In conclusion, it is amazing, but not surprising that cyber history continues to repeat itself. Different and fancy malware names, exploit tools and cyber gangs, but the same old tricks that go after older and unpatched systems that are easy fruit picking.

Update (January 14, 2020): this article was originally posted on June 30, 2017, but has been updated to include more recent news events and related articles.

Related Articles