The evolution of the major global ransomware attack — known by many aliases, including WannaCry and WannaCrypt — continues, raising questions about who is behind it, the ongoing fallout, and what happens next.
In a blog post, Microsoft described the actions it had taken Friday to protect customers, noting that it took the “highly unusual step” of providing security updates for retired versions of Windows— Windows XP, Windows 8, and Windows Server 2003.
Microsoft released system updates in March that protect computers running Windows Vista, Windows 7, and Windows 8.1 against this ransomware attack. So why then, were so many — an estimated 300,000 computers in more than 150 countries — affected?
The very short and simple answer is that computers that were attacked were missing system updates.
There are a host of possibilities for why organizations don’t implement these patches. Here are some of the reasons why the security update might not have been applied:
Old systems get neglected
Sometimes, it’s just a matter of “bad habits,” said Mohamoud Jibrell, co-founder and CEO of NormShield, Inc., which provides security against internet accessible systems. Jibrell, an active member of SIM’s Capital Area chapter who has more than 15 years experience as a CIO, said that companies with older systems can get in the habit of not regularly updating those systems. A false sense of security sets in when the systems keep running without an issue, according to Jibrell. “We ignore problems when the likelihood of that problem is sort of considered remote,” he said.
Business can get in the way
Other times, decisions about when to update and what systems to implement aren’t exclusively up to the CIO. “Sometimes business people don’t want the older systems touched for a business reason,” Jibrell, a former CIO of the Howard Hughes Medical Institute, noted. “It’s not necessarily the IT people not doing their jobs.” Updates can fall by the wayside if the right processes aren’t in place.
Big organizations move slower
Daniel Howley, Yahoo’s technology editor, writes about the added complexity for larger organizations to apply patches:
Organizations like hospitals, for example, run specialized software on top of Windows to do things like keep tabs on patients’ records and medications. So they can’t run the risk of installing a new Windows patch that may or may not be compatible with their own programs.
“Some of the organizations that were negatively impacted by [WannaCry] have delayed releasing patches, because they were still performing compatibility tests, and were working through those before deploying the patch,” McAfee CTO Steve Grobman said in the article.
[LIKE THIS ARTICLE SO FAR? THEN YOU’LL REALLY WANT TO SIGN UP FOR OUR IT LEADERSHIP NEWSLETTER OVER HERE]
Many see this attack as a new kind of normal.
“The visibility brought by this most recent attack may inspire copycat
attacks,” said Colin Black, COO and CIO of CrowdStrike, which provides endpoint protection products and services. “In addition there are other tools that have been publicly released that criminals and other ne’er-do-wells may attempt to weaponize and use for nefarious purposes,” added Black, a founding member of SIM’s San Diego chapter who now serves as its treasurer.
Black sees this as the start of a new era of cyberattacks “where stealth is giving way to destruction.” He said with recent attacks, “it’s now okay to destroy data” whereas before, hackers focused on stealing intellectual property.
“The speed and reach of WannaCry, as well as its ability to evolve, are yet more examples of the new age of cyberterrorism we live in,” CNET reporters wrote. “It’s one in which hackers can influence the US election, pilfer your personal information or hold up critical life-saving systems in hospitals. And because of our dependence on tech, there are no easy solutions.”
While the answers to thwarting cyberattacks might not be simple, there are some basic steps to take to increase security. “First and foremost, when companies like Microsoft release fixes or patch, apply those,” Jibrell advised. “Keep your systems up to date.” But in instances where there is a business or other reason that prevents you from updating, “you have to isolate that system from the internet,” he said.
In a Computerworld article, John Halamka, CIO at Beth Israel Deaconess Medical Center in Boston, also noted the need for multi-layered defense. “It’s a combination of policy, technology, and education,” he said. Computerworld adds:
The policy portion might be so extreme that all workstations in an organization might need to be “read-only,” so that ransomware-laden emails cannot be accidentally opened and executed, [Halamka] said.
Black recommended training employees that tend to get a lot of external emails like shipping and receiving personnel or those who deal with accounts payable/receivable. They are most vulnerable to these kind of attacks and could benefit from anti-phishing campaigns to raise awareness of the threats.
“Bad guys take advantage of fear, greed, and compassion to entice a
victim to take action that may expose them to these types of attacks,” he said. “Don’t pay! This encourages these actors to continue these attacks.”
Here are some additional resources from SIM and other sources:
- 4 Signs Your Company Isn’t Prepared for a Cybersecurity Threat [SIM]
- 5 Ways To Become a Smaller Target for Ransomware Hackers [CIO Today]
- How to Protect Your Business Following the WannaCry Ransomware Attack [BizTech]
- Ransomware: Protect yourself with good backup and cloud policies [Computerweekly.com]