A number of organisations across a broad range of industries have been affected by the recent global ransomware attack. Europol has estimated that there are more than 200 000 victims of the attack in 150 countries since it began, describing it as “unprecedented in its scale”.
Junaid Amra, associate director: cybercrime and forensic technology services at PwC, examines why this attack was different to others.
What was it all about?
WannaCry is malicious software (malware) that is classified as Ransomware. What this simply means is that on infection it holds your computer or device to ransom. Recent strains of ransomware encrypt your data and require a ransom to be paid in order to get access to the data.
In this case $300 in Bitcoin (an online currency) was requested with this amount increasing over time.
Why was WannaCry so effective?
Wannacry was first detected in February 2017 (version 1) and was limited in terms of its impact. A company believed to be part of the National Security Agency (NSA) in the US called the Equation Group was breached. It seemed that they had a stockpile of exploits that could be used to exploit vulnerable systems. From April 2017 these started becoming visible on the internet.
Wannacry was re-released on the 12 May 2017 but this time around was linked with one of the exploits that had leaked from the Equation Group breach. This increased the effectiveness of the attack. A security researcher discovered a kill switch in the ransomware which, once activated slowed the spread of the attack. Variants of the ransomware appeared by the 14 May 2017 which were not affected by the above kill switch.
What steps should organisations take to protect themselves?
The ransomware affects devices running Microsoft Windows. Microsoft had released a patch for the vulnerability exploited by WannaCry in March 2017. Unfortunately many organisations had not installed the patch which resulted in them being infected.
There are a number of pragmatic steps that an organisation can take to reduce the likelihood of cyber security incidents, limit the impact when one does occur, and to recover swiftly and effectively.
PwC has developed seven principles to assist organisations structure their governance of cyber security risk. Adopting these principles will help boards and management debate and make the tough decisions needed to develop an adequate response to the threats they face:
* Real understanding of exposure: Many organisations fail to understand why they might be targeted, what makes them vulnerable and how an attack might impact them. The understanding needs to extend beyond the enterprise. It must reflect relationships that could make them a target and the complexity of digital connections that could cause them to be vulnerable. These relationships include suppliers, service providers; partners; cloud services; critical data feeds; and staff and customers. It must also reflect what data the organisation manages, why and where.
* Appropriate capability and resource: Effective cyber security requires a capable skilled team that is empowered and resourced to shape an organisation to be secure. Boards need to be confident in the capability of their security function and its leadership, their ability to drive a broad response to cyber security across the whole enterprise, and rapid access to wider capability when required. For boards to be effective in this area, they themselves require sufficient knowledge to probe, challenge and support management.
* Holistic framework and approach: A holistic approach to managing cyber security needs to not just build and operate effective cyber security controls. It must also reduce the complexity of the technology and data estate to which those controls are applied (inside and outside the organisation); address process and cultural/human vulnerabilities that attackers are increasingly targeting, and embed cyber security consideration in all business decision making.
* Process vulnerabilities are often overlooked, but common targets. Examples include weak registration processes to online services or distributing sensitive data to an inappropriate third party for processing. A simple, but often exploited human vulnerability is poor password management, such as the reuse of credentials across applications.
* Independent review and test: Boards require independent validation and testing of their cyber security posture. This can be achieved through independent expert review of cyber security frameworks and approaches, and even certifications of specific elements.
* Incident preparedness and track record: Governance of cyber security risk is important but effective governance when the risk materialises is critical. Ensuring that focused, practiced plans exist to respond to, and recover from, the most likely scenarios is essential. These need to consider not just technical resolution, but also business management, reputation management and management of legal and regulatory risk. In addition, organisations need to be able to respond appropriately to the reporting of vulnerabilities that could make products, services or internal processes vulnerable to attack.
* Considered approach to legal and regulatory environment: Cyber security cuts across an increasingly complex legal and regulatory environment globally. Industry regulation, data protection regimes, national security legislation, reporting requirements and product liability are a few examples of legal and regulatory environments that need to be understood, and a considered global response developed and maintained.
* Active community contribution: No organisation can protect itself in isolation. Collaboration is essential – between organisations within industries; through supply chains; between public and private sectors; between companies and law enforcement/intelligence agencies; and even with customers.
What if an organisation has been affected?
We never recommend paying a ransomware ransom – unless there is a threat to life. Doing so fuels the malware economy, funding the development of additional malicious campaigns. In terms of Wannacry security researchers have released software that could in some instances decrypt data that was encrypted by the ransomware.