I’m going to say right up front that in my years of writing about cybersecurity, I’ve never seen a reaction to an incident like I did to Friday’s WannaCry ransomware attack. My inbox has been flooded with commentary and reactions, and they continue to pour in as I write this post over the weekend. Virtually every website I visit has at least one article about it. As a PR person said in an email, Friday was a dark day for cybersecurity. But as others warn, this won’t be the last dark day.
First, about the attack. It was massive and global, and as Gerrit Lansing, chief architect at CyberArk, explained via email commentary:https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
What started out as a reported attack on the National Health Service has evolved into what appears to be one of the largest-scale instances of ransomware on record, with current reports saying there are victims in close to 100 countries.
Kaspersky Lab explained that WannaCry used an exploit named EternalBlue, which Microsoft patched back in March. Many organizations had not bothered to install the patch. (I guess this is as good an example as you’ll find for the importance of installing patches immediately.) There were more than 45,000 reported attacks, with Russia being the hardest hit. We may have seen a temporary halt to the spread of the malware, according to CNN:
The ransomware's progress has been halted by the accidental discovery late Friday of a "kill switch" hidden within the code by a security researcher, said cybersecurity consultant David Kennedy, formerly of the US National Security Agency. . . . However, a hacker could change the code to remove the domain and try the ransomware attack again. Also, the kill switch won't help anyone whose computer was already infected. Individuals and companies still have to decide if they want to pay the ransom or part with their data.
The sheer one-day volume of this singular attack is what grabbed the attention of, well, just about everyone, but don’t get lulled into thinking that this is that much out of the ordinary. Government reports show that there were more than 4,000 ransomware attacks every day in 2016, and all reports are that ransomware is getting worse. Rick Orloff, CSO at Code42, told me in an email comment that what we’re seeing is the new normal for cyberattacks, adding:
It’s monetarily motivated and looks to be global in reach. This is a sophisticated group that is pulling off a far-reaching, coordinated attack at an unparalleled scale. While enterprises operate in a global economy, so do the bad guys.
Phil Richards, CISO with Ivanti (formerly LANDESK), also made some very good points in an email to me. Not surprisingly, this ransomware attacks through socially engineered email attacks and we need to make sure that employees get better about not falling for these tricks, he said, but at the same time, he reiterated the need to make sure that not only are you patching your software, you need to keep your AV software updated:
If your virus definitions are one week out of date, it would not recognize this particular ransomware.
I suspect we’ll be hearing more about WannaCry and its fallout for some time into the future. And now excuse me while I ensure everything on my system is patched, updated and backed up.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba