Вы находитесь на странице: 1из 18

Industry Reactions to

WannaCry Ransomware Attacks

Source: http://www.securityweek.com/industry-reactions-wannacry-ransomware-attacks
WannaCry Ransomware

Manufacturing Transportation
plants companies
The WannaCry ransomware, also known as Wanna Decryptor,
WanaCrypt0r, WannaCrypt, Wana Decrypt0r and WCry, has
Government infected more than 200,000 devices worldwide.
Hospitals
agencies

Attackers earned more than $50,000


Banks ISPs in just a few days

200,000 devices
infected worldwide
Leaked NSA Exploit- Spreading WannaCry Worldwide
The attacks involved exploits dubbed EternalBlue and DoublePulsar, both leaked recently by
a hacker group calling itself Shadow Brokers. The exploits were allegedly used by a threat
actor called the Equation Group, which has been linked to the NSA.

This leverages SMB vulnerability


in outdated windows PC

The Shadow EternalBlue


Brokers released exploit present.
Eternal Blue exploit WannaCry succeeds.
Industry professionals shared thoughts on the WannaCry attacks,
including the ICS, insurance, legal, cybersecurity strategy, attribution
and other aspects of the story.

And the feedback begins


At the risk of sounding overly paranoid, I find it hard to believe that someone would orchestrate a global coordinated attack
like this just to earn 50 thousand dollars. Security guru Bruce Schneier recently wrote that Russia and other nation-states
often commit cyber-actions just for bragging purposes. For me, it's completely tenable that WannaCry is simply the Russians
bragging they're already so deep into our critical infrastructure that we can't do anything about it.

Either way, it's worth noting that many of the SCADA applications embedded in our electrical grid and manufacturing plants
were developed years ago and are tethered to older versions of Windows -- so the fix isn't going to be easy.

In the meantime, we should treat this attack as a persistent threat and continuously monitor both IT and OT networks for
unusual activity. After all, how do we know that the same vulnerabilities haven't already been well-exploited for cyber-
reconnaissance and cyber-espionage purposes? Or, that this isn't just the first phase of a more elaborate targeted campaign

with the goal of causing massive disruption to our critical infrastructure and our economies?

Phil Neray
VP of Industrial Cybersecurity, CyberX -
@rdecker99
Based on IBM X-Force analysis of over 500M spam e-mails, it seems likely the initial victims of the WannaCry ransomware did
not get infected by opening a malicious e-mail or attachments. This means that criminals might have compromised systems
by other means. This makes finding patient zero even more critical in the investigation. IBM X-Force is actively working with
clients and law enforcement to track down this data.

Since Asia and Europe have come online today weve seen a modest increase in the amount of victims paying the ransom. So
far, cybercriminals have pulled in $54,877.46 which continues to grow at ~1 BTC per hour.

Given the widespread propagation of the WannaCry ransomware in Eastern Europe and Asia, our research team suggests
that these regions may be using older Microsoft software that is unsupported or pirated.

Wendi Whitmore
Global Lead, IBM X-Force IRIS -
@wendiwhitmore
The ransomware attack raises the possibility that victims will face regulatory enforcement actions and civil litigation in the
U.S. and elsewhere. Indeed, last fall the former Chairwoman of the Federal Trade Commission (FTC) warned U.S.
businesses, in the context of addressing ransomware, that a companys unreasonable failure to patch vulnerabilities might
be cause for an enforcement action under the FTC Act. Further, the possibility of harm to consumers particular those who
are potentially harmed by the loss of sensitive medical or financial data raise the possibility of costly class action litigation

against companies that are the victims of ransomware attacks.

Joe Facciponti
Attorney with Cadwalader, Wickersham & Taft
@Cadwalader
Watching this story continue to unravel, has truly highlighted the need for cyber insurance. Any company can experience a
vulnerability no matter how prepared they think they are. While ransomware can result in a company paying small, very
random amounts, business interruption can be much more significant and can potentially cost millions.

There will always be a vulnerability that cant be controlled and from an insurance standpoint, this is validation for the
industry. In addition to having companies properly train their employees and ensure that they are up to speed on the
importance of updating software patches in a consistent routine and have backup plans in place, it pays to have cyber
insurance. Cybersecurity breaches are a reality every business must think about and having a whole team dedicated to
helping you when something like this happens - from breach coaches and responders to forensic investigators - it's the best
way to mitigate damages. We're continuing to learn from attacks like these by researching and working with industry experts

to better understand the best ways to mitigate losses for our clients.

Bill Kelly Senior Vice President,


E&O Underwriting, Argo Group
@argo_group
I applaud Microsoft for making the bold move to patch older, unsupported operating systems. They are under no obligation
to do so and the organizations that did not upgrade their systems despite Microsofts statements that the OSes were moving
to an unsupported state must accept the risk and responsibility for their decision. I liken it to this: when was the last time you
took your eight year old car in for service and the repair shop said, Dont worry. Ill just find that part which is no longer
being produced and have it here in twelve hours for youfree of charge. Thats what Microsoft did.

Will Microsofts release of a patch encourage organizations NOT to upgrade older systems? Probably. But what a shame that
will be. If they dont, they will be hacked again. And again. And again.

I applaud Microsofts desire to have a Digital Geneva Convention but at the same time, feel its a bit nave. Attacking a civilian
or a hospital with a grenade is far easier to spot and track than cyber weapons. And honestly, do we expect hackers, people

who are behind these dreadful attacks, to adhere to some ethical set of guidelines? I think not.

Jackson Shaw
Senior director of product management at One Identity
@JacksonShaw
The first response to this threat is to make sure all Windows-based machines are patched - this is a standard best practice.
However, in industrial environments not all systems can be patched, since some support continuous operations that must
operate 24X7. Such systems can't be restarted for example. There are also concerns around system availability and stability
associated with deploying security patches.

Meanwhile, non-Windows based systems in industrial networks are also exposed to cyber threats and are much more
difficult to protect. This includes the critical automation controllers (PLCs, RTUs and DCS controllers) that can't be easily
patched, or don't have patches available. To make matters worse, due to the lack of encryption and access controls in
industrial networks, attackers do not need to exploit vulnerabilities in order to compromise these critical control devices and

shutdown operations.

Barak Perelman
CEO, Indegy
@BarakPerelman
Historically, general purpose, run of the mill malware that leverages SMB and NetBIOS interfaces in the industrial
environment are particularly troublesome, with many systems remaining infected many years later.

With the WannaCry/WanaCrypt ransomware in the wild, crossing into industrial control systems would be particularly
devastating. Systems requiring real-time interfacing and control influence over physical assets could face safety/critical
shutdown, or worse. When thinking about critical services to modern society (power, water, wastewater, etc.), there is a real
potential, potentially for the first time ever, where critical services could be suspended due to ransomware. It may be time to
rethink critical infrastructure cybersecurity engineering, because if MS17-010 exploiting malware variants are successful, we
are clearly doing something wrong.

Brad Hegrat,
Director of Advisory Services, IOActive
@IOActive
The spread of the attack was brought to a sudden halt when one UK cybersecurity researcher found and inadvertently
activated a kill switch in the malicious software. It turns out that the virus was coded to check to see if an obscure website
address was registered and live and to halt if this was the case. It was effectively a kill switch. This however can easily be
overcome in a modified release which is what has already happened. Yes, this has indeed slowed the initial attack but this is
only the first wave of such wormable ransomware attacks.

Finally, the warnings that security experts have been sounding for years has finally come to the attention of the public - that
is that more money needs to be spent on cybersecurity and that organizations need to run modern patched operating
systems and educate their staff in safe computing and of course to simply back up. Regular off premises (or non-network
attached) backups would have prevented this modern nightmare.

Kevin Curran
IEEE Senior Member and
Cybersecurity Professor at Ulster University
@profkevincurran
Most effective malware has the ability to adapt and use a number of exploits to infect and propagate. We are witnessing a
jackpot or perfect storm combination that has allowed this attack to be so effective so quickly. It reminds me of incidents like
Conficker, where all the right exploits came together to create the Mona Lisa of cyber attacks.

One tweet criticized Edward Snowden and called out the NSA for not privately disclosing the SMBv1 exploit when they first
discovered it. While I do not condone agencies for discovering exploits and keeping them quiet, which puts us at long term
risk, this vulnerability had the potential to contribute just as badly to an attack of this magnitude, regardless. Think about it:
whether the vulnerability was disclosed a year ago or just recently, a knowledgeable attacker would have taken advantage of
the vulnerability. This update, regardless of when it was released, made a change in the handling of SMB traffic which could
cause significant issues when rolling out an update.

Chris Goettl
Product manager at Ivanti
@ChrisGoettl

Due to compliance regulations, such as HIPAA, healthcare network admins cannot easily update Internet connected medical
devices with the newest operating systems and patches. These devices are sealed to protect the equipment from failure in
the event a software update inadvertently affects the operation of the device. While this ultimately protects patients from
potential harm from a malfunctioning device, it has the potential leave the network open to attackers who are finding new
ways to exploit old vulnerabilities, such as the recent WannaCry attack. If these devices arent updated by the manufacturers
immediately, they will continue to be susceptible to these types of attacks.

To better protect hospital networks that are using Internet connected medical devices, we recommend, reviewing and
beefing up backup processes. It becomes essential to have an offsite backup on a daily basis. More important is a robust,
tested, disaster recovery process that ensures core IT systems can be brought back up in a few hours.
Most hospitals have backup in place to support compliance, of course, but really cannot restore key applications
and recover operations fast enough in the face of a ransomware attack. When an environment faces a true disaster, even a

well-planned disaster recovery strategy will typically take days until full operations are restored. Do the work to make sure
this takes only a few hours.

Moshe Ben-Simon
Co-founder & VP services at Trapx
@TrapXSecurity
This is a blast from the past as this kind of ransomware isnt anything new. For far too long, organizations have been ignoring
basic firewall hygiene which is why WannaCry has gotten out of hand so easily.

This is not the worst-case scenario. The silver lining is that this wasnt a destructive terrorist or nation state attack. Because
it was profit-driven, it was designed to be undone upon payment and therefore there may be a chance to recover. However,
this is a huge proof of concept for nation state actors that want to do something that might not be recoverable.

Sean Sullivan
Security advisor at F-Secure
@5ean5ullivan
Within a company, security and data protection are not just the job of your CISO and CPO. It's everyones responsibility every
day. Your employees may not be responsible for updating their corporate laptops and company issued devices, but if they're
connecting to your corporate networks with personal devices, or home computers, they must be responsibly applying
patches and updates to their own systems. Good cyber hygiene requires that you patch and update your operating systems
regularly and as often as necessary. Operating systems that were properly patched were protected from this vulnerability by
default.

Going forward you must implement continuous and ongoing education of your employees. This education cannot be a once a
year training course, but rather it must be pervasive throughout the culture of your organization. Because in the absence of
security education or experience, people (employees, users, and customers) naturally make poor security decisions with
technology. This means that systems need to be easy to use securely and difficult to use insecurely. Your security and data
protection education program should include information about the importance of patching your operating systems and the

direct tie of unpatched systems to vulnerabilities.

Dana Simberkoff
Chief compliance and risk officer at AvePoint
@danalouise
"This incident exposes how a two-month old vulnerability can cause global panic and paralyze the largest companies and
governmental institutions on all continents. Worse, cybercriminals could have easily released this worm just after the NSA's
0day was leaked two months ago, and this would have led to much more destructive consequences.

It would be unreasonable and inappropriate to blame the NSA for any significant contribution to this attack. Similar 0days are
bought and sold almost every day, and many other organizations participate in these auctions - virtually anyone can
(un)intentionally leak an exploit and cause similar damage. The real problem is that in 2017, the largest companies and
governments still fail to patch publicly disclosed flaws for months. Practically speaking, the NSA doesn't really need a 0day to
get their data - their negligence "invite" attackers to get in. Companies and organizations that have fallen victim to this attack,
can consider contacting their legal departments to evaluate whether their IT contractors can be held liable for negligence and
breach of duty. Failure to update production systems for over two months - can certainly qualify at least as carelessness in

many jurisdictions."

Ilia Kolochenko
CEO of High-Tech Bridge
@htbridge
Ransomware is following the same trajectory as phishing. The criminals have worked out how to monetize the crime, and
they know which types of businesses are likely to pay up-- and how to collect the money without being caught.

It appears that the NSA breach has accelerated the process. Instead of having to develop their own zero-day attacks, the
criminals have used of an arsenal developed by experts at developing cyber-weapons.

The U.S. government clearly had its priorities wrong. Whether or not you think the U.S. government should be spending a
fortune developing such cyber-weapons, surely it is obvious that the weapons they develop should be properly secured. If
someone had lost a nuclear weapon, heads would have rolled. The CIA and NSA have been breached on a massive scale, and
now the effects are being felt. What is going to be done to stop further leaks?

Phillip Hallam-Baker
Principal scientist, Comodo
@comododesktop

Вам также может понравиться