WannaCry ransomware attacks: Why the next wave could be harder to stop

WannaCry ransomware attacks: Why the next wave could be harder to stop

Ransomware generic
An IT researcher shows on a giant screen a computer infected by ransomware on Nov 3, 2016. (Photo: AFP/Damien Meyer)

SINGAPORE: Cyber security firms on Monday (May 15) warned not only of another wave of ransomware attacks, but one that may not contain the "kill switch" that allowed one researcher to inadvertently limit the spread of the WannaCry attack last Friday.

"We do expect copycat activity in the coming days," said Nick Savvides of Symantec, noting that the exploit code used in Friday's campaign was copied by the author from a popular website for hosting such code.

Mr Savvides added that while there hasn't been any information pointing to any specific individuals behind Friday's attack, the company did not see any renewed activity coming from the same actor.

Steve Ledzian of FireEye pointed out that the presence of a "kill switch" had been atypical to begin with.

"Removing the kill switch is easy, and the inclusion of one is atypical, so we anticipate the kill switch will be removed properly, either by the original authors or an imitator in the very near future," Mr Ledzian said.

Trend Micro's Ryan Flores added that the WannaCry ransomware was "easily exploitable" as other hackers could copy the code and incorporate it into their malware.

The Singapore Computer Emergency Response Team (SingCERT) on Saturday released an advisory stating that the attackers leveraged a Windows exploit, codenamed EternalBlue, which was reportedly leaked and dumped by a hacking group called Shado Brokers more than a month ago.

The exploit has the capability to penetrate machines running unpatched versions of Windows through 2008 R2 by exploiting flaws in Microsoft Windows SMB (Server Message Block) Server, SingCERT added.

Cyber security experts told Channel NewsAsia why evolving strains of the WannaCry ransomware will be of concern to businesses and other organisations.

Q: Is it sufficient to back up your data?

Back-ups alone are no longer enough, said Gerrit Lansing of CyberArk, who pointed out that ransomware variants increasingly do not limit themselves to encrypting solely whatever is on a PC's hard drive.

"Instead, they focus on accounts that provide broader access, such as those owned by IT administrators," he said.

"This approach allows the infiltrator to move more widely within the network, searching for more systems and encrypting them too. It therefore doesn't matter whose computer was initially targeted - the attack still has the potential to cause significant damage."

Q: Why is traditional anti-virus software no longer effective?

Traditional anti-virus solutions rely on blacklists, and they simply can't keep up with the thousands of new samples of ransomware produced each day, said Jeffrey Kok of CyberArk.

"There is no sign that this will slow down, and we do expect the frequency of such attacks to accelerate. To effectively protect against ransomware risks, organisations can't just protect against known malware; they also need to protect against unknown malicious applications, including unknown ransomware, from gaining the read, write and edit permissions needed to encrypt files."

Q: What can be done?

It is essential to eliminate the attacker's ability to access administrative credentials, Mr Lansing said.

"We are now seeing instances where attackers can use privileged credentials to find and destroy data backups, which have been typically relied on by organisations to recover from the attack and avoid paying the ransom."

Mr Kok added that a combined approach of removing local admin rights and application control, including "greylisting" – which restricts permissions for unknown applications to read, write and modify data – is effective in preventing ransomware from encrypting files.

Many of the experts also echoed the Cyber Security Agency of Singapore's (CSA) advice not pay any ransom demanded.

"Don't make any payments in response to a ransom request - hackers will simply bleed you dry without any promise of return," warned F5 Network's Prakash Sadagopan.

Q: Microsoft has now issued security patches for Windows XP – won't that fix the problem?

It may be more difficult to address security on medical devices as well as supply chain or inventory devices that run on legacy versions of Windows in embedded systems.

NHS incident director Anne Rainsberry told British media that Friday's cyber attack affected pathology services the most seriously, alongside imaging services such as MRI and CT scans, and X-rays.

"The release of the patch probably isn't going to help that £15m MRI machine that runs XP embedded whose maker went bankrupt 10 years ago," tweeted cyber security researcher Barry Dorrans, who, according to his Twitter profile, is with Microsoft's .NET security team.

"Sure, desktops, servers, they should have been updated. Along with office. But there's always going to be machines that can't be touched.

"So it's not a matter of £100 for a license - it's £15 million for a new machine and you need to rip the building open to install it."

Source: CNA/dt