Chad Kelly (Trend Micro); Chris Rowley (SolarWinds MSP); Zoaib Nafar (The Missing Link); Leonard Kleiman (RSA); James Sillence (Juniper Networks); James Henderson (ARN); Robert Kingma (ICT Networks); Tony Vizza (Sententia); Richard Tomkinson (Cloudten); Ken Pang (Content Security); Martyn Young (F5 Networks); Daniel Johns (ASI Solutions); Samantha Gotting (Kaspersky Lab) and Malcolm Salameh (Airloom)
Billed as the “biggest ransomware outbreak in history”, WannaCry took charge of the world for a weekend in May.
Crippling organisations across 150 countries and four continents, over 200,000 computers were infected with more than 10,000 organisations impacted.
With estimated economic costs approaching US$4 billion, this was no ordinary ransomware attack, rather a calculated attempt to grab the attention of the planet, an attempt achieved spectacularly through the paralysing of the UK National Health Service (NHS), the Russian government and the Spanish telecommunications sector.
Europe bore the brunt of the attack, as German railways also screeched to a halt, while US- based courier FedEx Corp suffered interference as the ransomware spread to Asia and South America.
Known as WannaCry and variants of that name, the malicious software locked computers in thousands of locations worldwide, demanding US$300 ransom per machine to be paid in cryptocurrency Bitcoin to unlock devices.
Creating front page headlines across the world, following a weekend of attacks in the Northern Hemisphere, Australia anxiously waited for WannaCry to strike. Yet an all out assault was avoided.
“It wasn’t as bad as what it could have been in Australia,” Airloom chief revenue officer Malcolm Salameh observed. “Europe got it first so everyone was patching over the weekend.
“Cyber security is something that is absolutely a business topic today whereas 12-18 months ago it absolutely was not. But now it creates a risk discussion, similar to competitive, market or people risk.”
For Salameh, the question of cyber represents another form of risk for businesses, a decision validated by the recent outbreak.
“Cyber requires a board level discussion and not necessarily an IT discussion,” Salameh added. “We specialise in high-end type work and WannaCry has validated a problem that needs to be addressed.”
Following three days of chaos, the spread of the attacks was eventually stopped when UK security researcher, MalwareTech, purchased a domain to help track the virus that ended up acting as a kill switch.
The vulnerability was one that had been identified by the National Security Agency (NSA), and leaked by a group called the Shadow Brokers in April.
“For a long time now, basic cyber hygiene has not been addressed well by many organisations,” RSA chief cyber security advisor APJ Leonard Kleiman said. “This attack emphasises the importance of getting the basics right.”
Legacy systems
Yet despite the world recovering, and Australia breathing a sigh of relief, the breach highlights the value of establishing effective security strategies for organisations across the country, irrespective of size or stature.
“Australia has been fortunate to avoid being hit but the industry now has material to put in front of customers,” SolarWinds MSP sales engineer Chris Rowley added. “They can use this material to build up towards a risk management type discussion because customers won’t move until they see something impactful such as WannaCry.”
Disrupting 61 internal organisations, the NHS in the UK was one of the worst impacted during the outbreak, with media outlets reporting outdated legacy systems as the main reason for the attack.
Specifically, the health service faced widespread criticism for its continued reliance on Windows XP, a version of Microsoft’s operating system that debuted in 2001.
“More than 60,000 machines were compromised in the UK and that was the NHS,” ASI Solutions head of services Daniel Johns observed. “The patching policy across the organisation would have been pretty similar so if it infiltrated one person it would have spread like wildfire.”
Spread like wildfire it did, crippling the system as infected and outdated systems slugged to a halt, leaving patients stranded and without medical care.
Following a public backlash, the NHS insisted that usage of XP had in fact fallen to 4.7 per cent, while claiming that expensive hardware — such as MRI scanners — could not be updated immediately.
The ability to bring down the entire health service of a nation due to legacy technology and an inability to securely update controls points to a worrying occurrence for customers across the world.
“If you look at the healthcare system in Australia, a lot of the ultrasounds and MRI machines are still run by Windows XP and they have to be because they’ve got no choice,” Sententia cyber security practice director Tony Vizza said.
“We were very fortunate purely on a timing basis because when it hit the NHS it was during the middle of a Friday when they were doing their scans, had it happened on a Monday in Australia, then we would have been hit just as bad.”
With recommendations immediately issued to install relevant Windows security updates, the importance of deploying up-to-date technology continues to heighten.
Yet despite such a call for action, do customers recognise the value of a refresh?
“It’s not necessarily the customer mentality of not updating new systems, it’s a vendor mentality,” Johns said. “The reason those machines can only run on Windows XP is because the vendor hasn’t updated software to run on more recent platforms which puts a huge constraint on managed service providers [MSPs] to support them.
“I could tell a customer that I can’t support Windows XP machines, which is fine in a vacuum but in reality, if one of those machines goes down and it’s key to their business, the noose is still around my neck to make sure the systems come back online and works.”
Mainstream attention
Throughout the attack, WannaCry demonstrated the ability to spread itself within corporate networks without user interaction, by exploiting known vulnerabilities in Microsoft Windows with computers that do not have the latest Windows security updates applied at risk of infection.
While the ransomware can spread itself across an organisation’s networks by exploiting a vulnerability, the initial means of infection — how the first computer in an organisation is infected — remains unconfirmed.
“For the most part I think this was a shot across the bow,” Trend Micro territory manager Chad Kelly assessed. “Ransomware is happening everywhere so I think the fall out has been expected, for the most part what we’ve seen is a showing of what we are yet to see.
“The Shadow Brokers are threatening to strike again and if that’s the case they are kind of toying with us.”
During the past 12 months, enterprise scale cyber security breaches have become more successful, with every industry sector facing increased threats.
Today, businesses must invest to reduce cyber risks to an acceptable level and protect client data effectively to remain competitive in challenging markets.
Yet despite the rhetoric, only a ransomware attack of this magnitude can help change customer direction.
