What We Learned from WannaCry and EternalPetya
In less than two months, the world has seen the two biggest ransomware outbreaks ever — WannaCry and Petya/ NotPetya/ EternalPetya.
While each malware was unique and likely authored by different sources, both had significant traits in common.
Both threats spread like a worm through networks, taking files hostage by encrypting them and then demanding payment for their release. Both capitalized on an exploit in Microsoft Windows identified by the National Security Agency, which had remained undetected and unpatched until the hacking group the Shadowbrokers leaked it. Both threats included flaws that prevented their authors from earning a lot more money. But both were also sophisticated enough to suggest that they might have been backed by a nation-state. And both targeted corporate users, which meant the biggest risk they presented to most home users was the risk of having a laptop infected and then spreading the ransomware when you connected at work.
For businesses, the lesson is clear.
“Expect to see a lot more worms this year,” F-Secure Labs’ Andy Patel explained. So your IT departments better be ready.
For everyone else, the lesson is also clear.
The explosive pace of ransomware growth, which has seen the number of ransomware families grow exponentially since the first one was identified in 2012, is likely to continue for the foreseeable future.
Here’s how we got to this point and what you need to do to defend yourself against this growing and evolving threat.
1.Bitcoin changed everything.
Because breaking into banks and other financial systems is difficult and dangerous, cyber criminals have tried to figure out ways to extort money directly from consumers and businesses for decades. “Scareware” — often in the form of fake antivirus software that hijacked your machine demanding payment — was effective but required credit card transactions, which are easy for law enforcement agencies to track.Then came Bitcoin, a virtual currency that allows for virtual anonymity.
“The only thing we can see is that somebody is sending something from one address to another address. And these addresses are long list of letters and numbers which look really random. They are tied to a user but we have no idea who these users are,” Mikko Hypponen, F-Secure’s Chief Research Officer told the BBC. “So we very quickly saw Bitcoin used in online crime. First in the online drug trade because when you’re buying illegal drugs online, you don’t want to use your credit card. Because the credit card will lead back to you. Bitcoins don’t. ”
Criminals used this breakthrough to modernize an old threat.
“Ransomware has been around for years and years, way before Bitcoin. But the megatrend that really made ransomware such a problem is crypto-currencies like Bitcoin.”
2. Updates really matter.
Software vulnerabilities are inevitable. And even as Microsoft, Apple and other developers continue to improve their ability and willingness to patch or drop old software, governments have stepped up their effort to horde vulnerabilities to use for their own aggressive or defensive purposes. WannaCry exploited a vulnerability identified by the US’s National Security Agency and only revealed to the public due to a hack revealed by a group called the Shadowbrokers. The patch had been available for weeks by the time this outbreak happened but obviously hadn’t been deployed universally. And Microsoft XP, which had been discontinued, was offered no public patch whatsoever.
Since the outbreak, XP is now being updated again, but governments aren’t likely to change course when it comes to espionage. Nation-states are still likely prioritize their cyber weapons over the security of the world’s computer users, leaving vulnerabilities that the public will only know about after they’ve been used or hacked. This means keeping all your devices updated is crucial to your security.
3. We need layered protection.
WannaCry taught businesses how important it is to compartmentalize their networks so one infection can’t threaten all of their systems. Likewise, users need to be reminded that they need layers of security to protect them for aggressive threats and their own mistakes. Ransomware, for instance, generally requires users to make two bad “clicks” before being infected — usually clicking on an email attachment and then the “Enable Content” button in Microsoft Office.
By the way, NEVER DO THAT!
Internet Security like F-Secure TOTAL is there to protect you when you make those mistakes. Not all antivirus solutions detected and defended against WannaCry and EternalPetya immediately, but F-Secure did from both threats’ inception.
F-Secure’s DeepGuard functionality protects you using behavioral analysis and exploit interception the proactively blocks new threats. That’s the kind of layered protection you need when we’re facing well-funded criminals who are backed or enabled by the vast resources of powerful nation-states.
[Image by @Avas_Marco via Twitter.]
Categories