A Q&A with Matt Ahrens, The Crypsis Group

Last week, the devastating WannaCry attack— considered unprecedented in its scale and speed—hit more than 230,000 computers in 150 countries, including the National Health Service, FedEx, Deutsche Ban and LATAM Airlines, among others. I asked Matt Ahrens of The Crypsis Group about the attack, what made it so dangerous and what it means for organizations trying to improve their cyber security posture.

What exactly is WannaCry?
WannaCry is a worm—basically a self-replicating piece of malicious software that finds a vulnerability, attacks a computer and spreads across the network and the internet to attack others. It’s also ransomware, meaning that it encrypts data and sends it off to an anonymous networking site while extorting the data owners. By exploiting a recent, and high profile vulnerability, this ransomware variant spread faster than any other variant. With poor firewall practices and poor security it’s easy for something like this to snowball.

Can you give a few examples of why this is so dangerous?
It’s difficult to understand the full impact just yet, but we know that the NHS was hit, industrial systems were hit. Potentially that means computers were down, medical care could be affected, and airport control units could be affected, causing delays. At the least it’s business interruption but at the worst it’s physical harm. The good news is that there were IT professionals all over the world spending their weekends trying to fix these vulnerabilities. So people are paying attention and not just letting the attack fly by.

No one who deals with ransomware was shocked by this attack. We knew that the hacker group the Shadow Brokers released the Windows vulnerability online several weeks ago

What are some practical steps that clients can take to mitigate this risk?
Microsoft has released a patch for the primary vulnerability. It’s interesting to note that the patch works for unsupported operating systems going back to Windows XP so that says a lot about the risks at play here and what Microsoft was willing to do to stop the onslaught of this malware. We highly recommend patching any Windows systems. Other suggestions include:

• Antivirus solutions: While antivirus solutions are cheap and widely deployed, they won’t protect you from “0-day”, or previously unknown/undocumented attacks, it will prevent attacks that occur down the line.
• Due diligence on networks: Check your perimeter networks and make sure that any ports that should be closed are actually closed.
• Backup your systems and data: You may need to restore your systems from the ground up. Keep a copy of backups offline. Practice restoring data at a regular interval. Prioritize backups based on business need and impact.
• Phishing preparedness: Conduct a phishing simulation with employees to educate them about identifying phishing emails and suspicious attachments. You can also restrict the flow of attachments with .zip files or files with passwords, which are typical ingress points for attacks.
• Intrusion prevention: Keep up to date with intrusion detection systems.
• Segregate networks: Ensure that important data is stored away from internet-facing computers

What do you see as other potential implications of this attack?
No one who deals with ransomware was shocked by this attack. We knew that the hacker group the Shadow Brokers released the Windows vulnerability online several weeks ago, so it was made public, and that’s the exact vector on which this ransomware works. So far we can see that not that many people paid the hackers, so either the victims had good backups of their data, the threat actors had difficulty providing recovery keys, or the victims couldn’t source bitcoins in the requested time frame for the ransom. But certainly the speed and scope of the attack is concerning and we should expect more innovation from cyber criminals in the future.

In summary…
We want to thank Mr. Ahrens for his insights into this security threat, which is quickly becoming the lead story worldwide, and to Matt’s point serving as a major wakeup call!

Ransomware events are also one of the leading threat vectors causing cyber losses for clients in all sectors (and for our clients, the cyber liability insurer carriers who pay these claims). See our annual cyber claims study here.

To underscore some of Matt’s prevention advice, it often boils down to the basics, having timely patch management programs in place, backing up systems daily. And especially having an actionable systems/data crisis breach plan ready that is accessible at a moment’s notice around the clock (see the NetDiligence breach planning solution Breach Plan Connect™. For an instant plan, see details here).

Finally, please see the Crypsis team speak at our upcoming NetDiligence Cyber Risk Conference this June 5-7. See details here: https://netdiligence.com/2017-netdiligence-cyber-liability-conference-philadelphia/