Story image

Lessons learned from the latest ransomware attacks - there's more to come

10 Nov 17

An assessment by Dominik Lehr, founder and CEO of communication solutions provider Befine Solutions AG

According to Europol, Europe needs to prepare itself for a large increase in the number of cyber-attacks.

As it said in its annual report, the threat of Internet-based organised crime has reached an “unprecedented scale” and ransomware has put all the other threat types in the shade. The “peak” up to now has been the WannaCry attack in May, in which over 300,000 computers in about 150 countries were infected.

Victims included companies in the logistics, telecommunications and healthcare sectors. For example, there were significant disruptions to medical care in Britain, while in Germany display panels and ticket machines in stations stopped working.

The vulnerability of our digital infrastructure could hardly be more obvious. It is striking that systems in critical infrastructure are often those that become infected. But here, more than anywhere, it is difficult for the affected companies to respond to the constant demands to update their software. What we need instead is a change of perspective - focusing less on IT and more on the communication processes that dominate in so many companies and public authorities.

Soon after WannaCry, Petya was the next attack that paralysed companies and public authorities around the world. The victims included banks, utility firms, airports, rail companies, shipping firms, food manufacturers, media organisations and even the Chernobyl nuclear power station.

It was caused by a ransomware version that had already been discovered last year and apparently used the same security flaw in older versions of Windows as WannaCry did. At the end of August, the parliament in the German state of Saxony-Anhalt was the victim of a ransomware attack too. Its IT and communication systems had to be shut down and all necessary documents had to be handed out to the members of parliament in paper form.

In these cases, people are all too quick to draw conclusions and make demands. This includes calls to update software and programs immediately. It is true that patching security flaws is generally seen as the first and most effective protection mechanism. The use of security solutions and regular backups should be self-evident anyway even to the most hard pressed IT team. The EU General Data Protection Regulation, which becomes enforceable in May 2018, refers to “appropriate protection” - but what is appropriate?

Taking warnings seriously

Many companies and public authorities are still using operating systems and software programs that have not been supported by the manufacturer for a long time and therefore no longer receive any updates. The patch to plug the WannaCry hole had actually been available for just under two months, but in practice many companies take over 100 days to apply these updates. Although this may seem negligent at first sight, there are often good reasons to delay. Things are not always as easy as they seem on face value.

There are many industries and segments whose computers cannot just be “quickly shut down” and restarted - just like those affected by the attacks mentioned above. Users, whether they are at work or on their home computer, are familiar with the problem too. Updates take time and can be annoying, especially if there are problems once the patches have been installed. It is good practice for IT managers in companies to place a lot of importance on testing patches before installing them.

Rethinking processes

This is why it is necessary to take a different perspective with less of a focus on IT and more focus on the types of communication processes and practices that dominate in so many companies and public authorities. They are part of the problem and make certain areas more vulnerable to attack.

In the Saxony-Anhalt case, for example, a parliament worker activated the malware when he opened an email attachment. He thought he had previously forwarded the mail to himself because his own name was shown as being the sender. The healthcare sector, which has also hit the headlines several times due to ransomware attacks, has its own set of idiosyncrasies such as macros in Office programs that are widely used in hospitals.

But there is some good news. There is just one small area where companies and public authorities need to handle processes differently, enabling them to close loopholes and increase their level of protection ensuring that incoming emails cannot unleash a vicious circle of threats.

Closing loopholes

All it needs is one simple measure that is fast to implement: changing internal workflows and using the appropriate solutions that ensure that predefined file types cannot come in via email in the first place. Instead, companies can receive their emails via their own web application. That way, bots have no chance of spreading malicious code due to the existing authentication measures. With several security levels, the solution makes life more difficult for the attackers, who want to infect as many computers as possible as anonymously as possible.

One last thing, like others, we also recommend not paying ransoms. Firstly, it is questionable whether the victims will be able to access all their data again once they have paid the ransom. And secondly, it just confirms to cyber-criminals that their business model works well and they will receive additional financial support. Instead, anyone affected should involve the police immediately.

Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
SingleSource scores R&D grant to explore digital identity over blockchain
Callaghan Innovation has awarded a $318,000 R&D grant to Auckland-based firm SingleSource, a company that applies risk scoring to digital identity.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Spark Lab launches free cybersecurity tool for SMBs
Spark Lab has launched a new tool that it hopes will help New Zealand’s small businesses understand their cybersecurity risks.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t.