Dry Your Eyes: Lessons Learned From WannaCry

If you’re reading this post, congratulations! You hopefully aren’t using one of the more than 200,000 computers that were hit by the first wave of the WannaCry ransomware attack. Those unfortunate victims are dealing with bigger problems right now, such as how to admit patients to their emergency rooms or ship perishable items to their destinations without the help of working computers.

As this attack demonstrated, the cost of ransomware goes far beyond the fee that’s demanded to get back your files; it brings down businesses and even threatens lives. Most experts, including the FBI, recommend against paying ransoms, which have no guarantee of success and can even target you for further attacks. A better strategy is to prevent attacks in the first place. Here are some lessons we’ve learned from this and other attacks.

Patching WannaCry Ransomware

WannaCry didn’t come out of nowhere: It exploited a known Microsoft vulnerability for which the company issued a patch two months earlier. Subscribers to the IBM X-Force Exchange received that fix on the same day it was released.

It’s particularly important to patch endpoints, such PCs and mobile devices, because that’s where 85 percent of ransomware infections originate. The process can be complex, but IT teams can use endpoint tools to deploy patches consistently, reliably and automatically across a broad range of operating systems.

A majority of existing endpoint detection and response (EDR) solutions are unable to fully secure organizations from ransomware for three reasons. First, they lack full visibility of endpoints and their statuses, which limits the effectiveness and contextualization of malicious behavior. They also often require complex, post-detection incident investigations, which is a challenge in a cybersecurity field that is expected to see 1.5 million vacant positions by 2020. Some of these tools also lack any remediation abilities whatsoever, which reduces an organization’s ability to effectively act upon investigation.

Make sure your EDR solution has the appropriate visibility to not only detect, but also contextualize malicious behavior. Tool sets such as IBM BigFix can help solve those two problems and also provide effective remediation based on investigative findings.

Training Your People

By various estimates, up to 83 percent of ransomware attacks originate when an employee clicks on a malicious link, opens an infected attachment or visits a compromised website. Employees are the first line of defense, so investing in ongoing training about protecting against phishing and malware should be a priority.

Watch the on-demand webinar series: Orchestrate Your Security Defenses to Avoid Ransomware Attacks

Blocking Ransomware With Threat Intelligence

Deploying patches can be a complex and error-prone process, particularly when old or critical applications are involved. Your intrusion prevention system (IPS), when kept up to date with the most current threat intelligence data, can help prevent ransomware by using signatures to detect and stop it.

IBM X-Force Exchange, for example, provides signatures to detect command-and-control (C&C) communication between ransomware and other servers using the specific EternalBlue SMB vulnerability. For updates, follow the X-Force Exchange WannaCry collection.

Organizations that can’t patch can prevent the spread of the ransomware by disabling the outdated and vulnerable Server Message Block v1 in Windows. Additional recommendations are available and continuously updated on the WannaCry IBM Support page.

Detection Driven by Behavioral Analysis

While a good prevention program should stop most ransomware attacks at the door, it can’t protect you 100 percent of the time. A good security analytics platform provides the next level of defense by detecting ransomware activity based on behavior. For example, a simple rule can identify when ransomware is encrypting files at a high rate. When combined with an endpoint management product, this one-two punch can help kill the malicious process before it does significant damage.

A cognitive system can also identify malicious activities based on behavior by continually scanning online sources of intelligence, such as threat advisories and blogs. For example, IBM Watson was able to identify one WannaCry ransomware attack based on network traffic going to a suspicious IP address. It learned of the address from a threat researcher’s blog.

Responding With Dynamic Playbooks

Sometime breaches occur despite your best efforts. In those cases, an incidence response (IR) platform and team is your last line of defense. An IR platform can help orchestrate the response to ransomware attacks by helping to align people, processes and technologies in a predictable and efficient manner.

Any good IR platform supports the Dynamic Playbook for ransomware. IBM Resilient’s Dynamic Playbook adapts in real time as information about an attack is uncovered, generating a response based on the most current information.

Most successful organizations also turn to IR services providers during times of crisis. When choosing IR vendors, select one with a breadth of experience in not just ransomware, but also other areas of cybercrime. This vendor should have prior success in assisting customers to align their response and restore normal operations.

A good IR provider can help you hit the reset button by bringing your backed-up data and systems back online. IBM’s IR works with customers to ensure that restored systems are not vulnerable to similar attacks and can also improve defenses against future incidents.

Join the webinar series: Orchestrate Your Security Defenses to Avoid Ransomware Attacks

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today