Dry Your Eyes: Lessons Learned From WannaCry

If you’re reading this post, congratulations! You hopefully aren’t using one of the more than 200,000 computers that were hit by the first wave of the WannaCry ransomware attack. Those unfortunate victims are dealing with bigger problems right now, such as how to admit patients to their emergency rooms or ship perishable items to their destinations without the help of working computers.

As this attack demonstrated, the cost of ransomware goes far beyond the fee that’s demanded to get back your files; it brings down businesses and even threatens lives. Most experts, including the FBI, recommend against paying ransoms, which have no guarantee of success and can even target you for further attacks. A better strategy is to prevent attacks in the first place. Here are some lessons we’ve learned from this and other attacks.

Patching WannaCry Ransomware

WannaCry didn’t come out of nowhere: It exploited a known Microsoft vulnerability for which the company issued a patch two months earlier. Subscribers to the IBM X-Force Exchange received that fix on the same day it was released.

It’s particularly important to patch endpoints, such PCs and mobile devices, because that’s where 85 percent of ransomware infections originate. The process can be complex, but IT teams can use endpoint tools to deploy patches consistently, reliably and automatically across a broad range of operating systems.

A majority of existing endpoint detection and response (EDR) solutions are unable to fully secure organizations from ransomware for three reasons. First, they lack full visibility of endpoints and their statuses, which limits the effectiveness and contextualization of malicious behavior. They also often require complex, post-detection incident investigations, which is a challenge in a cybersecurity field that is expected to see 1.5 million vacant positions by 2020. Some of these tools also lack any remediation abilities whatsoever, which reduces an organization’s ability to effectively act upon investigation.

Make sure your EDR solution has the appropriate visibility to not only detect, but also contextualize malicious behavior. Tool sets such as IBM BigFix can help solve those two problems and also provide effective remediation based on investigative findings.

Training Your People

By various estimates, up to 83 percent of ransomware attacks originate when an employee clicks on a malicious link, opens an infected attachment or visits a compromised website. Employees are the first line of defense, so investing in ongoing training about protecting against phishing and malware should be a priority.

Watch the on-demand webinar series: Orchestrate Your Security Defenses to Avoid Ransomware Attacks

Blocking Ransomware With Threat Intelligence

Deploying patches can be a complex and error-prone process, particularly when old or critical applications are involved. Your intrusion prevention system (IPS), when kept up to date with the most current threat intelligence data, can help prevent ransomware by using signatures to detect and stop it.

IBM X-Force Exchange, for example, provides signatures to detect command-and-control (C&C) communication between ransomware and other servers using the specific EternalBlue SMB vulnerability. For updates, follow the X-Force Exchange WannaCry collection.

Organizations that can’t patch can prevent the spread of the ransomware by disabling the outdated and vulnerable Server Message Block v1 in Windows. Additional recommendations are available and continuously updated on the WannaCry IBM Support page.

Detection Driven by Behavioral Analysis

While a good prevention program should stop most ransomware attacks at the door, it can’t protect you 100 percent of the time. A good security analytics platform provides the next level of defense by detecting ransomware activity based on behavior. For example, a simple rule can identify when ransomware is encrypting files at a high rate. When combined with an endpoint management product, this one-two punch can help kill the malicious process before it does significant damage.

A cognitive system can also identify malicious activities based on behavior by continually scanning online sources of intelligence, such as threat advisories and blogs. For example, IBM Watson was able to identify one WannaCry ransomware attack based on network traffic going to a suspicious IP address. It learned of the address from a threat researcher’s blog.

Responding With Dynamic Playbooks

Sometime breaches occur despite your best efforts. In those cases, an incidence response (IR) platform and team is your last line of defense. An IR platform can help orchestrate the response to ransomware attacks by helping to align people, processes and technologies in a predictable and efficient manner.

Any good IR platform supports the Dynamic Playbook for ransomware. IBM Resilient’s Dynamic Playbook adapts in real time as information about an attack is uncovered, generating a response based on the most current information.

Most successful organizations also turn to IR services providers during times of crisis. When choosing IR vendors, select one with a breadth of experience in not just ransomware, but also other areas of cybercrime. This vendor should have prior success in assisting customers to align their response and restore normal operations.

A good IR provider can help you hit the reset button by bringing your backed-up data and systems back online. IBM’s IR works with customers to ensure that restored systems are not vulnerable to similar attacks and can also improve defenses against future incidents.

Join the webinar series: Orchestrate Your Security Defenses to Avoid Ransomware Attacks

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…