Experts: WannaCry Ransomware Is Just the Beginning

The crippling ransomware attack last week that paralyzed hospitals, universities and businesses globally was just a cyber appetizer, experts warn. The main dish is still to come.

"That was just a big warning," says Rick McElroy, a security strategist at Carbon Black, which develops endpoint cybersecurity software to detect malicious behavior. "If you weren't impacted by this one, something is going to come down the pike that's more advanced that you’re probably not prepared for. So start to build your defenses today to get out in front of this stuff.”

Here is a rundown of what happened. Hackers unleashed the WannaCry ransomware, also called Wana Decryptor, WanaCrypt or WCry, which used tools discovered in leaked documents from the National Security Agency (NSA) to compromise a file-sharing protocol in older Microsoft programs. Affected systems displayed a ransom message that demanded $300 in bitcoin for the code to unlock computers.

Although Microsoft issued a patch in March that protected newer Windows systems, a majority of the infections occurred on unsupported Windows XP systems still widely used in health care, academia, businesses and on home computers, Microsoft President Brad Smith wrote in a company blog post. “We take every single cyber attack on a Windows system seriously, and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident,” Smith wrote. Microsoft also reversed its policy to now support users with older systems.

The NSA breach, followed by other hacks of the CIA’s Center for Cyber Intelligence revealed in a WikiLeaks document dump, spell out the vulnerabilities that “the bad guys, because they have this code, are able to take advantage of,” McElroy says.

Ransomware quickly is becoming hackers' breach method of choice, experts offer. "This is just the beginning," says Dominic Chorafakis, founder of Canadian-based cybersecurity consulting firm Akouto. “The NSA leak was a windfall for hackers looking for ways to attack victims, and it won't take them long to create powerful new tools that can infect tens of thousands of systems very quickly. Protecting IT systems in this environment takes knowledge, vigilance and the right tools, but there are some simple and practical things everyone can do."

While patches offer a first line of defense, relying on them presents a struggle because of the hundreds of thousands of endpoints organizations must ensure get the needed updates, McElroy says. “We would argue there is not enough visibility down on those endpoints to understand when they’re under attack. And a fundamental problem with these new types of attacks is they’re all based on zero days,” he says of vulnerabilities that are otherwise unknown to developers until they are exploited.

The WannaCry attack highlights that critical shortcoming afflicting IT staff and end users—the failure to apply the software updates vendors provide. "Just keeping software and backups up to date and using professional anti-virus will go a long way and might even be enough for individuals, but the effects of a breach can be catastrophic to a business," Chorafakis says.

Fixing weak links can begin with proper cyber hygiene, but that alone will not end all attacks. Felix Odigie, CEO of Inspired eLearning, offered five tips on securing systems that could help.

• Does the sender's email address come from a trusted source?
• When you hover over a link in the email, does the destination match up with the hover text?
• Are there noticeable and frequent grammar and spelling mistakes?
• Do you know the person who just texted the link, or is it an unrecognizable phone number? 
• Still in doubt? Delete the email or text. 

In his blog post, Smith noted opportunities where Microsoft and the industry can improve, including employing threat-protection personnel and embracing vigilant cyber hygiene practices. He also used the blog to criticize government practices of stockpiling details on vulnerabilities, an emerging pattern this year.

“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” Smith writes. “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today—nation-state action and organized criminal action.”

Too often, people discount the impact of nation-state hackers, McElroy echoes: “As an industry, we are ill-prepared for the speed that the bad actors are going to change things at, and our current defense-in-depth models are breaking down and showing that traditional prevention does not work against these types of attacks."