WannaCryptor one year later, what have we learned?

12 months on, what are the lessons learned from WannaCryptor?

Time does fly! It feels like only yesterday that a new strain of hitherto little-known malware achieved celebrity status among global ransomware campaigns

Time does fly! It feels like only yesterday that a new strain of hitherto little-known malware achieved celebrity status among global ransomware campaigns

It’s already been a year, almost to the day, since the WannaCryptor ransomware cryptoworm – also known as WannaCry and detected by ESET as Win32/Filecoder.WannaCryptor.D – ran rampant. What made WannaCryptor’s impact so severe, especially when the ransomware component of the malware was rather run-of-the-mill?

The global outbreak was clearly a teachable moment, as the factors that contributed to its large footprint also revealed some powerful lessons. We’ll spare you an introduction or a repetition of the well-known facts, so that we can instead dive right into lessons learned from the global outbreak. There’s no other way to begin than with takeaways stemming from how WannaCryptor took root and fanned out.

Patch me if you can

Put simply, for the defenders, holes are there to be plugged. Put just as simply but differently, it’s a “patch-or-perish world”, especially regarding fixes for known security flaws. The merits of timely patching become even more apparent when we consider that the fix for the flaw exploited in the WannaCryptor campaign had been released almost two months before the malware grabbed the headlines.

However, many organizations struggle to keep their systems current. To be sure, business realities often mean that installing fixes across enterprise environments is no easy task. Whatever the cause of this perennial problem, however, the upshot is the same: with every patch waiting to be deployed, the window of opportunity becomes ever more open to intruders.

Out of date, out of breath?

Some victims were hit not because they hadn’t patched, but because a fix was impossible, or at least intractable. That is, they were running systems that had reached the end of their lifespans and, in the absence of mainstream support, no patch was available. In that case, replacing outdated and legacy systems should be the overarching concern. If that isn’t possible immediately, the old systems should be, whenever possible, isolated on their own network segments.

Defanging and starving out the worm

In fact, security-minded network segmentation in general can harden a firm’s defenses, especially against malware exhibiting worm-like behavior as was the case with WannaCryptor. By permitting only certain traffic in and out of functional segments and between one another, as well as by securing data during lateral movements, even if a breach does occur on one segment, the exposure is limited and the damage is contained. As an added benefit, network compartmentalization allows for stronger access controls, restricting access to sub-networks only to employees who need it, and only with permissions that they really need.

Turn off what’s not needed

The campaign propagated via the long-outdated, first version of Microsoft’s file-sharing Server Message Block (SMBv1) protocol, so it goes without saying that the protocol’s ancient version should be disabled altogether – as advised by Microsoft itself back in 2016, after all. In addition, SMB, in any of its three versions, is used on ports that shouldn’t be exposed to the open internet at all. At the end of the day, it never hurts to enable only the services that are needed while turning off all others.

Anti-malware software exists for a reason

Robust cybersecurity controls involve ensuring that all machines are fitted with security software that, naturally, needs to be kept up-to-date. A robust anti-malware suite incorporates complementary layers of defense that kick in at different stages of the cyber-kill-chain, helping protect even against flaws for which a patch has not been released or deployed – or even developed. As reported in one of our blog posts soon after the pandemic broke out, ESET detected and blocked attempts to abuse the SMB vulnerability before this particular strain of malware was even created.

Back up (and put backups to the test)

Last, but absolutely not least – backups. Indeed, in this scenario, backups only come into play as a last-ditch measure after all the cyberdefenses are breached, but that happens to underscore their importance. Indeed, if the worst comes to the worst, a successful incident response and recovery will hinge on a tried-and-tested backup strategy. This routine needs to include making frequent copies of data to media that are normally offline, thus keeping them safe from the malware’s reach. That way, there is no need to ponder the possibility of giving in to the attackers’ demands – an idea that we generally advise against, anyway. Additionally, in this case, paying up was very unlikely to be of any help.

Picking the (ultimately) easier way

Regardless of how demanding precautions are, they are nowhere near as difficult as all that needs to be done when dealing with the consequences of a serious incident. This old adage clearly continues to hold true even after the hue and (Wanna)Cry(ptor) has all but died down.

Which surely makes you wonder: whatever happened to the exploit – EternalBlue – that enabled the campaign in the first place? Wonder no more, we’ve got that covered. However, our own Ondrej Kubovič finds that, sadly, that one is alive and kicking.

Should that still not satiate your curiosity, be sure to read our piece about facts you may not have known about WannaCryptor next week.

Discussion