After Wiping Our Tears from WannaCry…

As the dust begins to settle on the large ransomware outbreak that started on May 12, 2017, known as WannaCry or Wanacryptor, it is important to begin focusing on how to prevent issues like this in the future. Most articles to date have been focused on the exciting aspects of the WannaCry incident such as the relationship of the incident to the leaking of NSA hacking toolkits by the group called the Shadow Brokers on April 8 (including their chilling message to President Trump), as well as the identification and activation of WannaCry’s “kill switch” by 22 year old security researcher Marcus Hutchins (aka @MalwareTechBlog) from the UK. There are even reports that North Korea may be behind the actual attack. The worm aspect of the ransomware also was of interest from a technical standpoint because this allowed the malware to infect other vulnerable machines on the same network very rapidly. All of this is very interesting indeed.

What most articles have not been talking much about though was just how preventable this issue was – and that is what is really going to make affected organizations want to cry. Microsoft released a patch for this vulnerability over 2 months prior to the incident and this patch was available for all modern / supported operating systems. Older unsupported systems such as Windows XP and Windows 2000 were not able to be patched because Microsoft no longer supports these systems.

For an organization to be significantly affected by this outbreak of ransomware would have to mean that the organization either has failed software patch management and vulnerability management processes, the organization is using unsupported versions of Microsoft Windows, or worse, it could be both.

To prevent attacks like this in the future, it is imperative that organizations ensure that the following are done on a regular basis:

  • Maintain a current inventory of the systems and software in use within the organization.
  • Develop effective patch management processes that cannot be easily circumvented by users.
  • Periodically scan your network for known software vulnerabilities, and execute timely remediation to update software when vulnerabilities are identified.
  • Ensure external and internal monitoring tools and processes have a good known baseline for comparison and reporting.
  • Develop a process to identify systems operating on older software, and develop plans to retire or update such systems onto modern versions of software before the vendor ends its support.
  • Ensure that your organization has effective backups that can be accessed and reverted to in the event of a ransomware issue.

It should be noted for those still running Windows XP – if you are still running this operating system, but have not yet been impacted by WannaCry, then you should install the emergency patch supplied by Microsoft May 15. It should not be expected that Microsoft (or other vendors) will do this again in the future.