Dry Your Eyes: Lessons Learned From WannaCry

If you’re reading this post, congratulations! You hopefully aren’t using one of the more than 200,000 computers that were hit by the first wave of the WannaCry ransomware attack. Those unfortunate victims are dealing with bigger problems right now, such as how to admit patients to their emergency rooms or ship perishable items to their destinations without the help of working computers.

As this attack demonstrated, the cost of ransomware goes far beyond the fee that’s demanded to get back your files; it brings down businesses and even threatens lives. Most experts, including the FBI, recommend against paying ransoms, which have no guarantee of success and can even target you for further attacks. A better strategy is to prevent attacks in the first place. Here are some lessons we’ve learned from this and other attacks.

Patching WannaCry Ransomware

WannaCry didn’t come out of nowhere: It exploited a known Microsoft vulnerability for which the company issued a patch two months earlier. Subscribers to the IBM X-Force Exchange received that fix on the same day it was released.

It’s particularly important to patch endpoints, such PCs and mobile devices, because that’s where 85 percent of ransomware infections originate. The process can be complex, but IT teams can use endpoint tools to deploy patches consistently, reliably and automatically across a broad range of operating systems.

A majority of existing endpoint detection and response (EDR) solutions are unable to fully secure organizations from ransomware for three reasons. First, they lack full visibility of endpoints and their statuses, which limits the effectiveness and contextualization of malicious behavior. They also often require complex, post-detection incident investigations, which is a challenge in a cybersecurity field that is expected to see 1.5 million vacant positions by 2020. Some of these tools also lack any remediation abilities whatsoever, which reduces an organization’s ability to effectively act upon investigation.

Make sure your EDR solution has the appropriate visibility to not only detect, but also contextualize malicious behavior. Tool sets such as IBM BigFix can help solve those two problems and also provide effective remediation based on investigative findings.

Training Your People

By various estimates, up to 83 percent of ransomware attacks originate when an employee clicks on a malicious link, opens an infected attachment or visits a compromised website. Employees are the first line of defense, so investing in ongoing training about protecting against phishing and malware should be a priority.

Watch the on-demand webinar series: Orchestrate Your Security Defenses to Avoid Ransomware Attacks

Blocking Ransomware With Threat Intelligence

Deploying patches can be a complex and error-prone process, particularly when old or critical applications are involved. Your intrusion prevention system (IPS), when kept up to date with the most current threat intelligence data, can help prevent ransomware by using signatures to detect and stop it.

IBM X-Force Exchange, for example, provides signatures to detect command-and-control (C&C) communication between ransomware and other servers using the specific EternalBlue SMB vulnerability. For updates, follow the X-Force Exchange WannaCry collection.

Organizations that can’t patch can prevent the spread of the ransomware by disabling the outdated and vulnerable Server Message Block v1 in Windows. Additional recommendations are available and continuously updated on the WannaCry IBM Support page.

Detection Driven by Behavioral Analysis

While a good prevention program should stop most ransomware attacks at the door, it can’t protect you 100 percent of the time. A good security analytics platform provides the next level of defense by detecting ransomware activity based on behavior. For example, a simple rule can identify when ransomware is encrypting files at a high rate. When combined with an endpoint management product, this one-two punch can help kill the malicious process before it does significant damage.

A cognitive system can also identify malicious activities based on behavior by continually scanning online sources of intelligence, such as threat advisories and blogs. For example, IBM Watson was able to identify one WannaCry ransomware attack based on network traffic going to a suspicious IP address. It learned of the address from a threat researcher’s blog.

Responding With Dynamic Playbooks

Sometime breaches occur despite your best efforts. In those cases, an incidence response (IR) platform and team is your last line of defense. An IR platform can help orchestrate the response to ransomware attacks by helping to align people, processes and technologies in a predictable and efficient manner.

Any good IR platform supports the Dynamic Playbook for ransomware. IBM Resilient’s Dynamic Playbook adapts in real time as information about an attack is uncovered, generating a response based on the most current information.

Most successful organizations also turn to IR services providers during times of crisis. When choosing IR vendors, select one with a breadth of experience in not just ransomware, but also other areas of cybercrime. This vendor should have prior success in assisting customers to align their response and restore normal operations.

A good IR provider can help you hit the reset button by bringing your backed-up data and systems back online. IBM’s IR works with customers to ensure that restored systems are not vulnerable to similar attacks and can also improve defenses against future incidents.

Join the webinar series: Orchestrate Your Security Defenses to Avoid Ransomware Attacks

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read