Last month's WannaCry attack was certainly aptly named. No doubt the more than 300,000 computers in 150 countries rendered useless by the hack made the individuals and organizations impacted quite tearful.
For those who had independent backup systems in place, the hack was inconvenient and a nuisance. For those who didn't have adequate backup, files were most likely locked and lost. WannaCry was the latest ransomware attack where computers were hijacked and a ransom fee demanded.
"Ransomware falls into the category of malware - malicious software - but most people would know them more as computer viruses," explained Mark Burnette, CPA, CISSP, CISM, QSA, a shareholder with LBMC Information Security.
"In the beginning, the ransomware attacks were kind of clunky, but they've become more and more sophisticated," noted Sam Felker, CIPP/US, a shareholder with Baker Donelson and a member of the firm's Data Protection, Privacy and Cybersecurity Group. "They've become more innovative in how they carry out their attacks, and they are also targeting markets where they believe they can make money."
Burnette said most ransomware is written to look for a particular weakness in a computer system. In the case of WannaCry, it has been documented that the U.S. National Security Agency (NSA) discovered the vulnerability and then subsequently had their information and tools leaked.
Deploying such ransomware is typically a gamble as to whether or not the targeted victims will take the bait. "In most cases, it requires the user to install and take action in order for the ransomware to activate, and that often comes in the form of a phishing email," said Burnette. "What made WannaCry different is that it was wormable, which meant it didn't require user interaction to spread," he continued. "This one was able to self-propagate without user interaction. That's why it spread so quickly."
Once deployed, the malware encrypts the hard drive of a computer, rendering it useless unless a victim pays the ransom to receive a decryption key to restore the system to working order. Felker said the ransom is usually requested in the form of bitcoin, a digital currency that is virtually untraceable.
Oftentimes the ransom isn't exorbitant. "Ransoms are usually in the neighborhood of several hundred dollars," said Felker. "Some are more," he continued. "A hospital is Southern California paid $17,000, according to press reports, to get their system back."
The hackers recognize keeping the ransom price within reach for companies and individuals increases the likelihood of people paying. Felker noted, "The FBI recommends you not pay the ransom." While agreeing that's probably prudent for several reasons, not the least of which is that paying ransom rewards the criminals, he said it isn't quite that simple when critical data is locked up. "We tell our clients it's really a business decision for each individual company."
Before making any decision, Felker said, "You really have to get a forensic expert in quickly to determine the extent of the encryption that has taken place. Then, you look at whether you have backups and see if you can simply restore those files or if they are lost to you."
Opting to pay the ransom is also risky. "Paying it doesn't necessarily mean the bad guys will send the decryption key ... the might, but they might not," said Burnette. According to numerous news reports, WannaCry was seen as a double scam because it didn't have an automated decryption key, which meant those paying ransom had to hope the criminals behind the attack would manually free their system. As of press time, most of the ransoms paid had not resulted in computers being restored.
Felker and Burnette agreed the best offense is a good defense ... stopping attacks before they can occur. There are a number of steps that should be taken to prevent ransomware or other malware from bringing business to a halt.
Inventory: "You have to identify and inventory all the sensitive data you have," said Burnette. "You can't protect what you don't know you have." He added a proper inventory requires knowing what data exists, where it's stored, and how it's processed and transmitted.
Backups: Burnette pointed out organizations that had backups before the WannaCry attack could retrieve the clean data and rebuild their systems. Felker concurred, saying it's key to identify critical information in advance and have it backed up. "You have to have some separation there so those backups are protected," he added of keeping those files safely disconnected from the network.
Patching: "The most significant thing companies can do ... and are doing ... is patching," Burnette continued. He noted the patch to protect against the variant targeted by WannaCry was actually released in mid-March by Microsoft ... two months before the attacks occurred. "Those who installed the patch would not have been susceptible to this particular malware," he stated.
Harden the Computer System: "The premise of hardening computer systems is turning off unnecessary services and capabilities," Burnette said. He noted computers typically come with a lot of programs installed that aren't needed yet provide another entry point for those seeking to do harm. "If you harden your systems properly, then the services the bad guys are targeting might not even be on and available to be attacked," he reasoned.
Education: Felker said part of part of a healthy cyber defense is pre-planning by keeping employees educated and alert to new and evolving threats.
Risk Assessment: Under the HIPAA security rule, healthcare organizations should already be conducting risk assessments to identify areas of vulnerability. Once identified, action should be taken to close the loopholes.
Monitoring: Burnette said there are many monitoring tools and services available to watch for changes in the operating environment and alert companies quickly.
Legal Action: "If you can find the culprit, you have legal recourse. But realistically many times it's impossible to find the source, and often they are from foreign countries," Felker said pragmatically.
Insurance: Cyber coverage is something Felker said his team often discusses with clients. "Clients need to make sure their insurance coverage includes cyber attacks including ransomware," he counseled. Some policies exclude such attacks and others simply aren't broad enough.
While a good policy could help offset the costs to rebuild and replace, proactive steps to thwart an attack on the front end ultimately save everyone time, money and frustration.