Sunday, 14 May 2017 Blog ehdf

The WannaCry Ransomware Attack: A new uncertain world

Early affects

It was early in the morning of Saturday, the 13th of May, when several automated processes at Renault’s Sandouville manufacturing unit in northern France started to malfunction. At first, the shop floor thought it was a single error on a single server that was the cause, until the supervisory team realized that the automatic alarm – which should’ve been triggered by a quality control system independent of the manufacturing control unit – had failed to go off as well. The facility came to an immediate manually prompted halt as thoughts turned towards the most obvious reason – a probable attack by hackers. It was to turn out to be much worse.

At noon of the same day, all of Renault’s French manufacturing units had ground to a halt and management was assessing, what appeared to be, a well co-ordinated and comprehensive ransomware attack. By then, however, it was apparent that this was a much wider attack than one targeting Renault. The British Health Service was affected, with several clinics and surgeries turning back patients. Spanish telecommunications giant Telefonica was among the many targets in that nation and – although the enterprise escaped relatively unscathed – the fact that a network as sophisticated and tech savvy had been breached was causing bewildered concern. It soon emerged that the malware had, in fact, first struck on the 12th – a few hours prior to the crisis at the Renault facilities. It was a ransomware that identified itself as “WannaCry” and demanded a payment of $300-$600 for each instance, in exchange for restoring data and functionality. Several unique features – it was the first ever self propagated ransomware, for instance – indicated a highly sophisticated and unprecedented malware.

Europe’s police co-ordination agency was estimating in excess of 200,000 affected terminals on the continent and Chinese agencies were reporting more than 1 million compromised machines worldwide. The unprecedented and dramatic attack had been recorded in more than 150 countries, making it the most comprehensive such attack ever. For once, no hyperbole seemed excessive or indeed sufficient as a description. The attack had compromised Businesses across profiles that adhered to no particular geographies and states of preparedness. Heavily secured and well administered networks – including hospitals and government agencies – had succumbed to the attack in staggering numbers. To borrow the famous phrase used by President FD Roosevelt in the aftermath of the Pearl Harbour attack, it was a day that would live in infamy.

Initial Assessment

In response to a brazen attack of such shocking scale and scope, the IT security industry swung into action to determine the nature of the menace and the possible strategies that could be employed to control the spread of the malware and to assist those affected by it.

Microsoft was quick to release what was described as a “highly unusual” patch for its Windows XP product – which had not been included in a recent software update issued in April – and recommended upgrade to the latest version of its Windows OS as a defence. Several groups of ethical hackers were of the opinion that the malware had signatures of cyber tools created by the United States NSA, which may have been leaked or stolen – this was later denied by the NSA.

It is a measure of how unstoppable the malware proved to be in the initial days after the attack that none of these hypotheses could be confirmed with any great certainty. The one consensus that did appear to form across most groups of cyber security services and privacy experts was that the an established practice of developers and companies – that of leaving “back doors” embedded in their products – ought to be terminated. According to them the core issue was precipitated by this information falling into the wrong hands.

The UAE survives relatively untouched

UAE based Managed Security Service providers – as well as those in other locations across the UAE – swung into action to share resources and ideas, taking advantage of the fact that much of the countries IT network had not reported anything like the rate of incidence observed in other locations. An initial lag in the spread of the malware allowed SOC services and security service providers in the UAE to spread awareness as well as enforce selective geo blocking filters. However, many security experts were of the opinion that the installation of several updates and the implementation of better and smarter filters was needed to safeguard the region’s networks from similar attacks in the future. Expert assessment largely came to the consensus that a good deal of coincidental fortune may have helped the region escape relatively unscathed.

What now?

While uniformly accepted conclusions have yet to emerge in the aftermath of the WannaCry ransomware attack, the IT security services industry can draw some initial comfort from having contained the particular attack in question. Initial informal consensus – in terms of strategic response – has centered on networks updating to the latest available OS versions and configurations, as well as the ability to isolate servers and terminals at the first sign of attack. Advance threat monitoring has emerged as a critical component of the response moving forward, with most antivirus and security oriented products striving to upgrade their suite.

Cyber security experts are studying regions that remained relatively unaffected to identify strengths and weaknesses. While the initial period for which networks in the Middle East region remained unaffected may have been due to the rapid response by IT and Security experts in UAE, and the general readiness with which the UAE cyber security industry responded. Similar assessment is being pursued in all geographies and profiles that seemed to restrict the spread of the attack.

Conclusion

By the 20th of May, a group of French developers had already released tools that could assist enterprises and organizations affected by the WannaCry attack to recover some or all of the data that had been compromised. In a sense this was the completion of a circle – for the time being – in the French IT security industry – from the effects of the attack as experienced by Renault to the release of this data recovery solution. Despite the enormous and unprecedented scale of the attack, a relatively negligible number of users and organizations actually conceded to the ransom demand – which may deter some future attacks on the basis of ineffectiveness and risk versus reward.

While cyber security experts and Managed Security Services providers are breathing a lot easier in recent days, they also universally acknowledge that the battle for IT security, in the age of ransomware, may have just begun. WannaCry brought the IT security industry to its knees for a few days – across the globe and at lightning speed. Some comfort can be drawn from the response which has seen the damage minimized and contained – it is important to study the strategies that worked, so that best practices can be identified and emulated. However, the prospect of a future attack, using a version of the ransomware that does not contain the “kill switch” – that helped to isolate it – remains a very real and very worrying threat that cannot be taken lightly

In the future, we may well look at the ransomware trend – especially WannaCry – as the singularity that forever changed our approach to IT security and our attitude towards threats from malware. For any enterprise that values the business it has built and any user who tries to be a responsible participant in the larger business community – as well as their particular network of clients, collaborators and colleagues – inaction, postponing response or ignoring threats and vulnerabilities is no longer an option.