WannaCry Lives On! Have we Learned Anything?

As the one-year anniversary of the most widely spread ransomware attack approaches, WannaCry is still active in the wild. Fortunately, so is the “kill switch” domain, rendering the attack mostly benign.  During the WannaCry outbreak MalwareTech, a UK-based researcher, discovered that WannaCry attempted to contact an unregistered domain. When this domain was registered, any newly infected devices that made a successful connection to this domain would place the malware into a dormant state. This is known as sinkholing and has removed the teeth from WannaCry so far.  However, it is not a perfect fix. Only newly infected devices are rendered harmless so long as they can reach the kill-switch domain as Boeing recently discovered. In March several dozen computers in Boeing’s Commercial Airline division were infected suddenly with the full Ransomware WannaCry attack. 

As with many manufacturing companies, Boeing limits or disables internet access for many of their production computers, preventing access to the kill switch domain. Somehow an infected “active” WannaCry device was introduced into the network environment and quickly attacked any unpatched Windows systems on the connected network. 

US-based security firm, Kryptos Logic has been monitoring the kill switch domain and reports that traffic remains very high. Machines carrying the virus will check this domain on every reboot to determine an action state. The only sure way to prevent an outbreak is to wipe-out a system and reinstall the Operating System and ensure all patches and security updates have been installed. End-of-Life/End-of-Support OSes should be upgraded to the most recent versions of Windows (10 and Server 2012-R2).

What are the lessons here that should have been learned from the WannaCry outbreak?

1.  Patch all devices on a regular basis and maintain a well-defined patch management and vulnerability management program. Even computers that cannot access the internet need to be patched on a regular basis. Phishing has become the number one means for attackers to gain access to internal systems and insider-threats still account for more than 60% of reported data breaches in 2017.
2.  Implement the principles of least-privilege to keep sensitive and confidential data separate from unauthorized users or attackers to mitigate accidental disclosures. Here are two basic recommendations that would not be costly or overly difficult to implement today:
   1.  Only system/network administrators should have administrative rights. Do not use the built-in Windows Administrator Account. System and network administrators should have a basic user account and a separate administrator account. Other system users should not have administrative rights. This will minimize their ability to install unwanted, potentially malicious applications.
   2.  Use network segmentation and ACLs and/or Firewalls to safeguard data and prevent unauthorized access. This may require a small investment depending on the current network switch environment, but many low-cost solutions are available today to fit any-size operation.
3.  Educate employees about cyber-threats and what they can do to recognize them and prevent malicious attacks. Many industry, state and federal guidelines/regulations require a minimum of annual security awareness education. However, in this age where the threat landscape is ever-evolving, a security awareness program that includes regular reminders and updates throughout the year can keep the information fresh in the minds of employees.
4.  Backup data and keep it stored in an offline location. Specific to Ransomware attacks, backing up critical data can significantly reduce the impact of the next “WannaCry” attack. Armed with a solid timely backup and a method of restoring the OS (image), a ransomware attack would be mitigated to a productivity issue related to how long it takes to get systems back into production.

Of course, these lessons are not unique to WannaCry or Ransomware. They are not even new to the information security professional’s toolkit. They are basic security steps that can be implemented by almost any organization regardless of size or budget. It is surprising to read just how many systems were affected by WannaCry last year and even more shocking to realize how many systems remain affected and unpatched.

The next version of WannaCry could strike any day. The developers of WannaCry did everyone a favor by hardcoding their Command and Control (C2) domain into the attack.  This is the reason the sinkholing solution worked. Unfortunately, it is quite apparent that the method for delivering this type of attack has not been defeated and potentially millions of systems remain vulnerable. By simply randomizing the C2 domain name in the code, the next WannaCry could easily defeat this sinkholing “solution.” By patching systems in a timely manner, implementing some least-privilege access control and educating employees regarding cyber-threats, system administrators improve their chances of minimizing the impact of the next WannaCry-type attack.