…The Unanswered Questions

-By Lois Eko

Ransomware is and may still continue to be one of the most devastating cyber threat facing most businesses.  With a global loss likely running to hundreds of millions of dollars, it has definitely been generating some internet buzz in recent times. Malicious attacks are on the rise each day and businesses need to be on a look out for the most prominent threats.

The perfection in the recent ransomware business model has created a gold-rush mentality among attackers who are not only working to increase their attack scales but also their ransom demands. Indiscriminate ransomware campaigns remain the most prevalent form of threat to businesses now and more advanced attacks will keep emerging. With the recent WannaCry attack in mind, the average ransom demanded by attackers has risen to US$650.

Businesses need to be fully aware of the threat posed by ransomware attacks and make building their security defenses an ongoing priority. With traditional security solutions in place it’s also vital to educate end users on ransomware and encourage them to adopt best practices. Businesses should continue to review and improve their security solutions by seeking future driven solutions in the face of this rapidly evolving threat. Reports have shown that the latest catastrophic ransomware attacks on Microsoft users – WannaCry and the stealthy Adylkuzz malware (which is still very much under covers but threatens to be more devastating than the WannaCry ransomware) does not only highlight gaps in security process implementation but also the severe lack of security knowledge in businesses (big or small) holding masses of important data.

Ransomware is a type of malicious software that restricts access (partial or full), to the victim’s

data and threatens to publish or delete the data until a ransom is paid. Bearing in mind that any action could be possible once a device is infected and little or no guarantee that paying the ransom will restore access, this type of attack can be more devastating than it sounds. A simplistic variant of ransomware may lock the system in a way that a knowledgeable person may revert. More advanced variants such as the WannaCry, uses a technique called Crypto-viral Extortion to encrypt the victim’s files and making them inaccessible.

The WannaCry Ransomware Attack

The WannaCry ransomware attack is an ongoing worldwide cyberattack on Windows operating system by encrypting data and demanding ransom payments in the Bitcoin crypto-currency. The worm uses the EternalBlue exploit to enter a computer, taking advantage of a vulnerability (MS17-010) in Microsoft’s implementation of the Server Message Block (SMB) protocol, it installs DoublePulsar, (a backdoor implant tool), which then transfers and runs the WannaCry ransomware package. The “payload” works in the same fashion as most modern ransomware: it finds and encrypts a range of data files, then displays a “ransom note” informing the user and demanding a payment in bitcoin. WannaCry spreads across local networks and the Internet to systems that have not been updated with recent security updates. It is considered a network worm because it also includes a “transport” mechanism to automatically spread itself.

The pain of turning up your device to see an extortion message appear on the screen demanding for a ransom of $300 – $1,000 in Bitcoins, cannot be over emphasized.

While other technical write-ups may have tried to answer the popular ‘W’ questions –

  • What happened?
  • Who was involved?
  • When did it take place?
  • Why did it happen?…

An unanswered question still lingers – How Can We Mitigate These Threats? Several blog posts and articles may have attempted to devise mitigation steps such as;

  • Patching
  • Offline Back-up systems
  • Anti-Virus update
  • Penetration Testing
  • Kill-switches etc…

It will only be a matter of time before the relentless attacker’s community come up with a more sophisticated attack. Hence, a more permanent solution will be to have an effective Patch Management System in place. A successful Patch Management requires a robust and systematic process. This process, the Patch Management Lifecycle, involves a number of key steps:

  • preparation
  • vulnerability identification and patch acquisition
  • risk assessment and prioritization
  • patch testing
  • patch deployment
  • verification

A good visibility into the network with solutions that can scan for vulnerabilities on these devices can also be a long term solution.

At Blacksentry, our Vulnerability Management practice provides continuous scanning, active monitoring and guidance for remediation based on industry best practice. We work to proactively mitigate the exploitation of vulnerabilities which exist in business environments that may be a drain on security team hence, giving room for business prioritization.