Cybercriminals from half a world away have proven their ability to lock up files right in our own backyards. Ransomware is a damaging scourge, and companies that haven’t taken preventative measures are at risk. Cash, bitcoins, personal data, you name it—it’s all up for grabs when it comes to today’s hacking elite. Last year’s WannaCry and Petya ransomware epidemics were a wake-up call, but will IT teams everywhere listen?
You probably remember when WannaCry (also known as WannaCrypt) shocked businesses globally as it spread exponentially and locked up files in private and public sector organizations alike. Like other ransomware before it, the malicious software encrypted files and then demanded a payment in the electronic currency bitcoin to return them.
The Petya ransomware was first seen in an earlier, less virulent form in March 2016, which spread via email attachments. Like WannaCry, the version that swept the world last year used ExternalBlue, an exploit stolen from the US National Security Agency.
Ransomware may seem to be a dormant threat in 2018, but experts warn that it’s not dead. Here’s a refresher on how the most infamous ransomware attacks happened—and how you can prevent them from happening again.
Patient zero: Ukraine
EternalBlue targets a vulnerability in SMB, a protocol that lets Windows machines talk to each other on a network. It can make an infected computer reach out to others on a local area network and infect them with a simple digital message. This strain, which some security experts labelled NotPetya because of its new code, also harvested passwords and used those to run code on other local computers.
But Petya wasn’t technically ransomware. Sure, it asked for payments to decrypt files, but the code was modified so it couldn’t actually revert its own changes. This made it straight-up malware and raised questions about who created it—and why.
Malware experts said that 80 percent of infections began in Ukraine after someone compromised servers used to update commonly-used tax software and infected the software’s code with malware. From there, it spread rapid-fire across Europe, from Rosneft and Home Credit Bank in Russia to French construction materials firm Saint-Gobin. Victims in Germany, which numbered nine percent of total Petya ransomware infections, included rail firm Deutsche Bahn. Eventually, it made its way to the U.S., hitting law firm DLA Piper.
Beat the strain with preventative measures
Why is ransomware so successful, every time? Simply put, because companies fail to take two preventative measures.
The first: software patching. EternalBlue targets vulnerabilities in older versions of Microsoft Windows, and Windows 10 was immune to both the WannaCry and Petya ransomware strains. When WannaCry first began its rapid global spread, a software patch from Microsoft that fixed the vulnerability had already been available for around six weeks. The problem is, most people didn’t bother to apply it. Those who did, or those who were using the latest version of Windows, escaped unscathed.
The second preventative measure is backing up critical files. If ransomware encrypts data that’s safely backed up elsewhere, recovery is much simpler. Sadly, ransomware’s success means that many companies still fail to take this basic advice.
Replicating data to an online service like Dropbox isn’t enough when any and all changes to files are immediately copied to the cloud. While some cloud services do offer the chance to view historical versions of a file, ransomware could potentially overwrite those as well. The key is to only connect backup storage media to a computer when backing up files, and to store those files offline afterwards.
The need for cybersecurity hygiene
Research from Voke Media suggests that almost eight in ten breaches could be stopped by adequate software patching, but nearly half of all companies took longer than ten days to remediate vulnerabilities and apply patches. Clearly, many large organizations are taking far longer than that.
Why aren’t companies patching their software? Many of them struggle to balance software security requirements with changing management policies. Every time a company applies a software patch across a large network, it carries a potential risk and could affect other software or even hardware drivers. Many companies test software patches on a small subset of systems before applying them more broadly.
As threats from hackers mount, these reactive approaches to software patching will become less effective, putting companies at more risk. New approaches are emerging, such as ‘micro patching,’ which runs in-memory and doesn’t change software binaries at all. Devices with security measures built-in are emerging, too.
Another alternative is malware detection based on machine learning that uses statistical analysis to detect deviations from the norm. This is a departure from traditional signature-based anti-malware approaches that search for malicious software with a distinct footprint.
Unfortunately, though, ransomware will continue being a problem because it works. Criminals make the least effort possible for the maximum return, and ransomware exploits are fast, anonymous, and easy to monetize. WannaCry and Petya ransomware infections have proven them correct, and it’s only a matter of time before the next big attack arrives.
Basic cybersecurity hygiene is the only way to solve this problem. With closer attention from IT teams, faster patching, and sensible backup policies across the organization, ransomware can be prevented.