The Cisco 2018 Annual Cybersecurity Report includes a nice write-up about the recent evolution of network-based ransomware. By adding “worm” characteristics to already malicious code, attackers were able to eliminate the need for the human element in launching ransomware campaigns. This made them ultra-efficient and effective. And in contrast to earlier ransomware attacks that were designed to garner profit, several recent attacks were intended to simply destroy systems and data. Unfortunately, this trend is likely to continue. 

Perhaps the highest-profile example is WannaCry. Back in May 2017, this ransomware crypto-worm quickly spread across much of the Internet. The servers and workstations that were infected were those that were 1) directly accessible via the SMBv1 protocol, and 2) were missing the Microsoft MS17-010 patches (which had been released a couple of months prior). Fortunately, for most systems in the U.S., at least one of these conditions wasn’t true, so we were relatively spared. But the fallout in other parts of the globe underscores just how serious this type of attack can be. 

Cisco added that, for all of its impact, WannaCry only netted around $143,000 by the time the wallets were cashed out. In comparison, the exploit kit Angler, when it was active, was earning about $100 million per year as a global business. For this reason, the U.S. government and many security researchers believe the ransom component is effectively a smokescreen to conceal WannaCry’s true purpose: wiping data. 

Nyetya (aka NotPetya) followed shortly thereafter. This wiper malware was a high-profile example of a supply-chain attack. Nyetya was deployed through software update systems for a tax software package that, according to Reuters, was used by more than 80% of companies in the Ukraine, and was installed on more than 1 million computers. Ukraine cyber police confirmed that it affected more than 2,000 Ukrainian companies. 

WannaCry and Nyetya were self-propagating, which is what made them so dangerous. It used to be that malware was distributed in one of three ways: drive-by download, e-mail attachment, or physical media such as malicious USB memory devices. Each of these methods required some type of human interaction to infect a device or system with ransomware. But as we saw with WannaCry and Nyetya, an active and unpatched workstation is now all that is required to launch a network-based ransomware campaign. 

We’re not fated to a ransomware infection, however. These attacks could have all been prevented—or at least diminished—if more organizations had employed better foundational cyber hygiene and basic security practices such as: 

  • Patching vulnerabilities 
  • Establishing incident response policies and procedures 
  • Employing network segmentation 
  • Hardening system configurations 
  • Limiting account privileges to only those that are actually necessary 
  • Employing system and network monitoring 
  • Employing anti-malware tools 

 To learn how to best protect your organization by incorporating these practices and others, contact Symplexity today. 

Ross is the CISO at Symplexity. He has achieved CCIE Security and CISSP certifications, an MBA from the University of Notre Dame, and has 20 years of experience in the fields of computer and network security engineering and consulting. Ross provides virtual CISO services for our Symplexity Secure clients and helps them to identify information security risks and implement administrative, procedural, and technical controls to mitigate. He works effectively with both technical and managerial personnel and is a trusted resource for our clients.