WannaCry: What We Can Learn from Last Week’s International Ransomware Attack

When a ransomware attack shut down computer systems from the United Kingdom to China last week, the two big questions on everyone’s mind were how it happened and what can be done to prevent the next attack. Three IT experts offer advice about how to increase security and decrease vulnerabilities.
A person at a computer sees a ransomware warning saying his files have been encrypted

When a ransomware attack shut down computer systems from the United Kingdom to China last week, the two big questions on everyone’s mind were how it happened and what can be done today to prevent another WannaCry-inspired software shutdown. It turns out that a guy known as Malwaretech helped save the internet with a lucky domain name server (DNS)-based kill switch application. But, even this fix raises a major question: how can we move beyond luck in handling ransomware?

To put this cyberattack into perspective, it’s important to know that the ransomware hit thousands of computers in more than 150 countries. By demanding money to restore files, it became one of the most invasive attacks of its kind to date.

Attacks such as these have caused some support professionals to create their own bitcoin accounts so they can quickly pay off hackers and get their systems back, but most ransomware attackers have no intention of giving systems back upon payment.

Malware-tracking maps, such as those offered by Looking Glass, now show that the ransomware infiltrated an unprecedented number of systems worldwide, kicking off an international investigation to not only find the culprits, but also determine what can be done to prevent the next threat. Fortunately, there’s already a lot we can learn from its path of destruction.

System Updates Increase Security

CompTIA Senior Director of Information Services Infrastructure Robert Rohrman shared several vital lessons for cybersecurity professionals.

“One is to keep ahead of security,” he said. “There is no perfect plan to prevent all attacks, but installing vendor patches in a timely manner and having an updated plan in place for all client machines is a good start.”

Rohrman said that far too many machines still run outdated operating systems like Windows XP and Server 2003 and simply do not have the proper security protocols in place to prevent ransomware attacks like the one we just saw.

“A globally managed update system for clients and server/hosted resources is the best way to gain visualization into an enterprise,” he said. Rohrman suggested IT managers have a system or program in place giving a global view of the in-house systems and security situation “that can issue patches and fixes to multiple computers from one console.”

But patching isn’t the only way you can prepare for ransomware and may not necessarily be the first step.

Data Backups Key to Fighting Ransomware

Rohrman also emphasized the importance of backups and that IT managers need to ensure the backups are happening.

“Having valid backups that are stored off the primary computer is another critical task,” he said. “Do not assume it’s being done. Double and triple check these functions.”

What was evident from the global attack is that more companies are vulnerable than expected, and targets have grown. No one can be lax when it comes to cybersecurity. Jamie Barnett, Partner, Cybersecurity Practice, Venable LLP

CompTIA Senior Director of Product Development James Stanger echoed Rohrman’s statements about backups.

“You can depend on your own backup more than a vendor patch because you have control over the backup,” he said. “Vendors can’t always get you the latest patch in time, which means that your systems could still be susceptible to zero-day attacks. Your system may have all of the updates the vendor has given, but an exploitable problem still exists.”

He added that, in terms of ransomware, when you know you have your data backed up, you are less likely feel pressure to pay the ransom because you already have what the cybercriminal is holding hostage.

End Users as the First Line of Defense

Educating users about threats can also help thwart these types of attacks. Rohrman said IT specialists should brace for copycat attacks in the coming weeks. And since computer users of all levels are the primary targets, he added that people need to learn basic rules of thumb, like not clicking or opening fake email messages or links.

At Venable’s Washington, D.C., office, Jamie Barnett is a partner with the company’s telecommunications and cybersecurity practices. The retired U.S. Navy rear admiral said conducting cybersecurity risk assessments can help shore up dangerous breaches.

“What was evident from the global attack is that more companies are vulnerable than expected, and targets have grown,” Barnett said. “Unfortunately, no one can be lax when it comes to cybersecurity.”

Making a Case for Cybersecurity

Admittedly, budgetary concerns often limit the resources set aside for this type of prevention. A company or system that hasn’t been targeted yet may have trouble dignifying the expense, but Barnett said that’s a big mistake. The cost of responding after a cyberattack is far more taxing than investing in security up front, especially as ransomware attacks become increasingly more of a threat instigated by some of the most inexperienced attackers. They have become a fairly easy way to gain fame and wealth on the dark net, which is why we should expect to see more of them.

“Ransomware is a significant risk for organizations,” he explained. “Many organizations pay the ransom and resume business without sharing the information or otherwise addressing the attack, leading to a situation where we cannot react and correct for ransomware attacks as quickly or effectively.”

That risk increases when companies loosen the reins on equipment policies or, as noted earlier, when they don’t sufficiently backup their data, Rohrman said.

“Companies with a bring-your-own-device (BYOD) policy that have no control over their endpoints are also at risk and should backup company data in multiple places or in the cloud, with clear policies and enforcement for accessing it,” he said. “Also, know that the next attack is coming, and it probably won’t look like the last one.”

Ready to start your cybersecurity career? Check out the new CertMaster for CompTIA Cybersecurity Analyst (CySA+) to prepare for your CySA+ exam and get certified.

Natalie Hope McDonald is a writer based in Philadelphia. She can be reached at www.nataliehopemcdonald.com.

Email us at blogeditor@comptia.org for inquiries related to contributed articles, link building and other web content needs.

Read More from the CompTIA Blog

Leave a Comment