5 Lessons from the WannaCrypt Ransomware outbreak

PHIL REED

The brazen ransomware, Wannacrypt cyber attack on NHS trusts wasn’t all bad news. For all the operations cancelled, lives put at serious risk and expensive IT overtime costs racked up, there was a silver lining: UK businesses and individuals have suddenly become aware of a threat we in technology circles have been banging on about for years.

Awareness is the first milestone on the road to becoming fully protected against the dangers and costs of ransomware. Below we outline a few key lessons that every organisation needs to take away from WannaCrypt to mitigate the risks of serious disruption. These are split into:

– How to reduce the risk of ransomware infection
– How to stop any infection from taking hold
– How to minimise the impact of any infection

Reducing the risk of a ransomware event

1) Out of Support / End of Life software is a risk to your business
This is a risk that some companies consciously and repeatedly expose themselves to, typically due to budget pressures. In this event, Microsoft decided to issue a hot patch for out-of-support XP Server 2003 systems due to the volume of customers still operating these. It is unlikely that they would do this again. IT consultants and support staff have for years highlighted this risk and proposed software and hardware refreshes and upgrades. It is now time for business executives to recognise that this is a valid, high risk to their business, and that continuing to operate out-of-support/end-of-life systems is inviting trouble.

2) ALWAYS Patch/Update
Many system administrators turn off automatic updates and/or delay applying patches issued by manufacturers. Why? Reasons can range from uncertainty as to the impact of the patch on production systems, through to downright complacency. One can sympathise with overworked IT pros who face potential extra (often out of hours) workload associated with an effective patch update policy, but that it no reason to ignore the threat. WannaCrypt is a wake-up call for businesses to resource their IT effectively, either internally over via a qualified IT support provider.

3) Regularly audit your systems protection and security
Checking and validating patches, identifying vulnerabilities, verifying that policy is being applied and procedures followed – these are all essential hallmarks of good IT governance. A regular, annual audit by a third party can spot vulnerabilities missed by internal staff and check that best practices are being followed. As well as providing further protection this aids the compliance process for standards such as ISO 27001 and Cyber Essentials.

Stopping a ransomware infection

4) Take the right approach to Anti-Virus/Anti-Malware protection
A lot of organisations remain unaware that many anti-virus products do not detect malware, so careful use of multiple products is required. Whilst it is not good practise to have two anti-virus offerings running on the same computer at the same time (they tend to detect each other as threats!), an anti-malware product such as Windows Defender or Malwarebytes will run happily alongside an AV product and provide protection against many malware/ransomware threats. Moreover, a multi-layered approach with AV at the email server and internet gateway, as well as on the client device, provides extra protection. It is an absolute requirement that all these products auto-update definitions/signatures.

Recover from ransomware rapidly and non-disruptively

5) Have a backup solution that works and can roll back to a pre-infection point easily Modern backup appliances work on the basis of detecting and recording block-level changes from snapshots, providing the ability to take a backup at multiple points during the business day. Some solutions such as Datto supplement these actions with the ability to detect ransomware inside a backup and immediately alert IT staff. This can mean the ransomware infection is detected early, thereby minimising the spread of infection and allowing the business to roll its data back to a clean and very recent point in time. In combination with the ability to provide a short RPO (Recovery Point Objective) this means the business potentially could only lose less than an hour’s worth of data, undermining the menace of ransomware somewhat.

The challenge of defeating ransomware lies in a combination of good IT governance, effective security measures and a nimble, continous backup process. For the most part, it requires organisations to take the risks seriously, and apply common sense procedures. Where these stretch internal resources, it is imperative to seek external help both for periodic auditing and for ongoing 24/7 managed support.

The final lesson – using a better backup approach to recover rapidly from a ransomware attack – strikes at the heart of cybercriminal’s bullying tactics by taking away their power. After all, data can only be held to ransom if they have it and you don’t.