WannaCry: Let's Not Cry 

Corporates need to take cyber security seriously and plan business continuity and incident response strategy for any vulnerability both individually as well as collectively 

As per global reports, WannaCry Ransomware cyber attack has affected India and 150 odd countries and has infiltrated 57,000 computers. Maharashtra Cyber Helpline has received 282 calls on the first day, Andhra Pradesh has reported 14 and even Kerala Police has reported many complaints. Many organisations and networks in over 150 countries were crippled by the recent WannaCry ransomware outbreak.

This massive ransomware attack became infamous by shutting down a number of hospitals in the UK’s National Health Service (NHS) system and thus preventing patients from receiving critical care.

Globally healthcare, manufacturing, governments, financial institutions and large national enterprises have been affected by WannaCry cyber attack.
In China, WannaCry Ransomware  has affected over 30,000 companies which includes hospitals, train stations, universities, government offices, post offices and gas stations. The worst hit is the powerful state-controlled oil company CNPC which was forced to disconnect servers of more than 20,000 service stations and temporarily stop accepting online payments. 

Quick Heal has detected over 48,000 attempts of WannaCry ransomware attack in India of which 60 per cent is targeted towards enterprises and 40 per cent is targeted towards individual customers. According to Quick Heal, Kolkata tops the list of cities with maximum detections followed by Delhi, Bhubaneshwar, Pune, and Mumbai. 

Ten Step Recommendations on WannaCry Ransomware

1.    Infected devices need to be isolated immediately by removing them from the network. If the network is infected, all the connected devices need to be disconnected.  
2.    One should store back up data offline and even backup systems should be scanned so that they are free of malware. 
3.    In case of any malware, please report to CERT-IN for any assistance or help. 
4.    If your windows devices have not been infected by the ransomware, please patch now for future infection. 
5.    Organizations should follow a standard operating procedure by doing a regular routine for patching operating systems, software, and firmware on all devices. Larger organizations can opt for a centralized patch management system. 
6.    One needs to deploy intrusion prevention system, filtering technologies and others which needs to be updated regularly. Corporates need to scan all e-mails to detect threats 
7.    One needs to have routine back up data on regular intervals. 
8.    Corporates need to have business continuity and incident response strategy and needs to conduct regular vulnerability assessments to make their system secure proof. 
9.    One needs to document detection controls and response procedures for ransomware as this ransomware is here to stay. 
10.    Corporate needs to partner with a diverse array of industry & government bodies for sharing of intelligence and best practices to make the system secure proof.
Source: VARINDIA 

Fortinet’s tracking analysis shows that there has been an average of more than 4,000 ransomware attacks every day since January 1, 2016.
India’s cyber security agency CERT– In has issued a red alert in connection with the latest ransomware attack and has warned users not to pay the ransom.
India is among the top 3 worst hit countries, because of high Windows XP penetration and pirated windows OS usage.

What is WannaCry Ransomware Cyber Attack?  

Ransomware WannaCry cyber attack is based on EternalBlue, an application developed by US National Security Agency (NSA) to attack computers using the Microsoft Windows operating system. 
The WannaCry vulnerability affects most desktop and server of Microsoft Windows. Systems which did not apply a patch update for this vulnerability were affected as it uses wormlike behaviour to affect vulnerable systems on the network. The impact on victims was primarily disruption of service resulting in loss of productivity and loss in revenue.

The Ransomware is a malware program which gets into any computer system through e-mail and when any user opens the attachment, the virus infects the system. When the ransomware gets activated, it starts encrypting any data files present in the system on random basis which makes them inaccessible to the user. Ransomware program demand an amount of ransom which needs to be paid to the hackers who in return might provide the decryption key to unlock the encrypted files. 

The victim’s data remains encrypted and inaccessible unless the infection is removed. Victims are being told that after 7 days, their files will be lost forever if the ransom is not paid.

The WannaCry malware is attributed to Lazarus hacking group, responsible for a series of devastating attacks against government organizations, media and financial institutions. Some of the operations linked to Lazarus hacking group include: Sony Pictures in 2014 and Central Bank of Bangladesh cyber heist in 2016. 

Industry Reaction 

Seeing the magnitude of WannaCry Ransomware cyber attack, the industry from all cross sections has responded about its magnitude and the precautionary steps to be taken so that its effect can be minimised.   

Speaking on the impact of WannaCry Ransomware cyber attack, Tarun Wig, Co-founder, Innefu Labs said,  “Ransomware attacks had taken place earlier also but this is a well-coordinated attack at a massive scale and the impact is huge.”

”Enterprises constantly struggle to stay on top of regular patching cycles as this can impact day-to-day operations in some cases. IBM has a global incident response and intelligence services (IRIS) team to work with affected clients and those using IBM’s BigFix security patching or QRadar Network protection technologies have been better protected from this attack,” said Kartik Shahani, Integrated Security Leader, IBM ISA.

“IBM’s Managed Security Services team has raised the AlertCon to level 3, which brings a higher level of focus and resources for our clients. We are also leveraging Watson for cyber security to analyze the data and derive insights to prevent future incidents. Companies will need to have an incident response plan in place to quickly recover and also ensure that employees, suppliers and others who work with them receives regular security training,” added Shahani.

“The need for urgent collective action to keep people safe online”: Brad Smith, President and Chief Legal Officer, Microsoft

Early Friday morning the world experienced the year’s latest cyberattack.

Starting first in the United Kingdom and Spain, the malicious “WannaCrypt” software quickly spread globally, blocking customers from their data unless they paid a ransom using Bitcoin. The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States. That theft was publicly reported earlier this year. A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.

All of this provides the broadest example yet of so-called “ransomware,” which is only one type of cyberattack. Unfortunately, consumers and business leaders have become familiar with terms like “zero day” and “phishing” that are part of the broad array of tools used to attack individuals and infrastructure. We take every single cyberattack on a Windows system seriously, and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident. This included a decision to take additional steps to assist users with older systems that are no longer supported. Clearly, responding to this attack and helping those affected needs to be our most immediate priority.

At the same time, it’s already apparent that there will be broader and important lessons from the “WannaCrypt” attack we’ll need to consider to avoid these types of attacks in the future. I see three areas where this event provides an opportunity for Microsoft and the industry to improve.

As a technology company, we at Microsoft have the first responsibility to address these issues. We increasingly are among the first responders to attacks on the internet. We have more than 3,500 security engineers at the company, and we’re working comprehensively to address cybersecurity threats. This includes new security functionality across our entire software platform, including constant updates to our Advanced Threat Protection service to detect and disrupt new cyberattacks. In this instance, this included the development and release of the patch in March, a prompt update on Friday to Windows Defender to detect the WannaCrypt attack, and work by our customer support personnel to help customers afflicted by the attack.

But as this attack demonstrates, there is no cause for celebration. We’ll assess this attack, ask what lessons we can learn, and apply these to strengthen our capabilities. Working through our Microsoft Threat Intelligence Center (MSTIC) and Digital Crimes Unit, we’ll also share what we learn with law enforcement agencies, governments, and other customers around the world.

Second, this attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support.

At the same time, we have a clear understanding of the complexity and diversity of today’s IT infrastructure, and how updates can be a formidable practical challenge for many customers. Today, we use robust testing and analytics to enable rapid updates into IT infrastructure, and we are dedicated to developing further steps to help ensure security updates are applied immediately to all IT environments.

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world.

We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it’s needed now. In this sense, the WannaCrypt attack is a wake-up call for all of us. We recognize our responsibility to help answer this call, and Microsoft is committed to doing its part.
 

Brad Smith is Microsoft’s president and chief legal officer. Smith plays a key role in representing the company externally and in leading the company’s work on a number of critical issues including privacy, security, accessibility, environmental sustainability and digital inclusion, among others.

Kiran Bhagwanani, Chief Executive Officer, Dimension Data India said, “Organizations will keep facing such attacks till we don’t embed security into everything we plan and implement. The overall approach to security needs a fresh perspective. Key breeder of such issues is the requirement in the organization where boundary less infrastructure is created to facilitate seamless flow of data required within different entities across the organization. End user itself has become a perimeter and all assaults are directed towards penetrating the weakest end user.”

Commenting on WannaCry, Sunil Sharma, Vice President – Sales, Sophos, India & SAARC said, “We believe this is the first example of a commercial malware attack using ransomware techniques that took advantage of an exploit allegedly leaked from the US National Security Agency (NSA) and uses a variant of the ShadowBrokers APT EternalBlue exploit. We encourage all customers to deploy the Microsoft patch that mitigates the underlying vulnerability in the Windows operating system. It is imperative that businesses everywhere update their operating systems, their security software and educate their users against phishing attacks. This is a best practice to reduce the risk from any attack.”   

“Sophos advises that all users of Sophos Home ensure their Windows operating system has been updated with the latest Microsoft updates and that their security software is also up to date. We also invite and encourage all home users to try our new Sophos Home Premium beta which is also free,” added Sharma. 

Speaking on Ransomware cyber attack, Sanjay Katkar, MD & CTO, Quick Heal Technologies said, “India is getting hit hard by such attacks as India has a large number of Windows users who do not have proper security patches applied and rely on inadequate internet security. Our observation is that the attack is not focused towards any particular industry but it is widely spread across industries especially those organisations which are online and connected. In the last few days, we have received distressed calls from customers belonging to verticals like education, banking, financial, manufacturing, health care and even from few services sectors.”

Mukul Shrivastava, Partner, Fraud Investigation & Dispute Services, EY India said, “Incidents of such nature and magnitude serve as warning signals for both public and private sector enterprises to have a proactive approach and invest in technologies as well as skilled staff to mitigate and remediate cyber incidents.”
Budiman Tsjin, Senior Technical Consultant, RSA Asia said, “The ransomware ‘WannaCry’ managed to stop cars, factories and hospitals across the world over the weekend.” 

L.C. Singh, Founder, Vice Chairman and CEO, Nihilent Technologies, “Standard best practices of deploying latest operating systems, application patches and anti-virus go a long way in reducing these attacks. Organizations must have information security policies that reduce exposure to malware, and will need to develop, deploy, monitor, and test security tools throughout their network. The aim is to detect any hint of anomaly using machine learning on past data, to be able to avoid compromises and, in the event they do get infected, ensure a faster recovery.”

Altaf Halde, MD, Kaspersky Lab said, “The analysis of the February sample and comparison to WannaCry samples used in recent attacks shows that the code which points at the Lazarus group was removed from the WannaCry malware used in the attacks started last Friday. This can be an attempt to cover traces conducted by orchestrators of the WannaCry campaign.”  

Although this similarity alone doesn't allow proof of a strong connection between the WannaCry ransomware and the Lazarus Group, it can potentially lead to new ones which would shed light on the WannaCry origin which to the moment remains a mystery added Halde. 

“Fortinet’s FortiGuard Labs has been monitoring and analyzing threat telemetry gathered from over two million sensors around the world. WannaCry and its variants is a highly virulent ransomware strain which is capable of self-replicating. This ransomware is being referred to by a number of names, including WCry, WannaCry, WanaCrypt0r, WannaCrypt and Wana Decrypt0r. It spreads through an alleged NSA exploit called ETERNALBLUE that was leaked online in April 2017 by a hacker group known as The Shadow Brokers. ETERNALBLUE exploits vulnerability in the Microsoft Server Message Block 1.0 (SMBv1) protocol,” said David Maciejak, Director, Security Research, Fortinet.

"WannaCry has infiltrated thousands of organisations around the world, including many key institutions. This ransomware is especially notable for its multi-language ransom demands that support more than two-dozen languages,” added Maciejak.  

“Fortinet addresses organizations’ cyber security challenges with an intelligent Security Fabric that spans the entire network, linking different security sensors and tools together to collect, coordinate, and respond to malicious behavior whenever it occurs,” said Maciejak. “Only by harnessing all their cyber defence resources in a coordinated way can firms effectively fight massive cyberattacks like WannaCry.”

Speaking on WannaCry Ransomware, Mark Hughes, CEO, British Telecom Security has recommended four basic steps to stay secure. First, check you have the patch applied and running correctly across your global IT estate. Second, work closely with your AV vendors and Microsoft to ensure you have the latest virus protection available. Third, discover whether you have been infected, limit the spread as far as possible then neutralise to avoid the malware detonating.
Fourth, isolate and roll-back, contain the affected machines, clean them, then restore the data.

Ankush Johar, Director, HumanFirewall.io said, ”The first line of protection is Backup, Backup, Backup! Then Update with the MS17-010 patch and disable SMBv1 on your Windows machines. Even if the Ransomware affects you, the backup will protect your digital assets, and please keep the digital assets away from the internet altogether."

Speaking on the future plan, Brad Smith, President and Chief Legal Officer, Microsoft said, "We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it’s needed now. In this sense, the WannaCrypt attack is a wake-up call for all of us. We recognize our responsibility to help answer this call, and Microsoft is committed to doing its part."  

Pravin Prashant 
pravin@varindia.com