The Truth about WannaCry and Ransomware

Dr. Lee Mangold

Over this past week, we have seen intense media coverage about the WannaCry ransomware. Countless analysts have told us about the financial impact, security experts have told us about the technical details, and everyone has taken to clogging our inboxes with the latest “our tools stop the attack” claims.

This letter is a bit different.

I’ve been working in IT and Security for over 20 years. Anyone who has worked in a career field for that long knows a pattern when they see it. And this latest news circus is just that; a pattern being repeated. Ransomware isn’t new. The method in which WannaCry was spread was new, but the technical nature of what it was, what it did, and how it could have been prevented is not new in any way.

As a little background: Ransomware is a piece of malicious software (malware) that encrypts your important files, rendering them unreadable. To decrypt the files again, you have to pay the attacker to get a decryption key. This malware has a few ways it could spread, most notably, through the exploitation of a weakness in the Windows operating system. We don’t really know who patient-0 is, but it was most likely individual users who clicked on an email, downloaded the malware accidentally, and the avalanche.

The next part of this story is also part of the pattern: everyone cries “victim,” security vendors start beating their chest about their new “next-gen” products, and we eventually move on without learning our lessons.

However, there’s an alternative story that many don’t like to talk about. It’s a story that I, a security professional, with take equal amounts of compliment as I will criticism. That is: we could have prevented this! Not with some new technologies, but with common sense practices from 10+ years ago.

Updates.

Did you know that a security patch was released that would have prevented WannaCry’s unique spreading mechanism 2 MONTHS before the attack started? A critical security update, released for Windows XP and newer. Installing that update would have prevented much of the spread we saw with WannaCry.

Now, industry professionals will claim that Updates aren’t that easy. You can’t just roll out new updates overnight. And I couldn’t agree more! That’s true! However, with a 2-month lead time on a critical patch, there’s no excuse. This is not a case of being a victim, this is just negligence.

Antivirus.

You want to hear a security industry not-so-secret? 99% of antivirus software is borderline-useless. Antivirus companies have been peddling their blacklist based technologies far past their prime. They’ve added a few features to make their flawed approach a little better, but it’s still nearly useless in modern attacks. This is NOT a new finding! We’ve known this for many years, and products have been out for at least 10 years to do whitelisting…but not many.

You want to hear a security industry not-so-secret? 99% of antivirus software is borderline-useless. Antivirus companies have been peddling their blacklist based technologies far past their prime. They’ve added a few features to make their flawed approach a little better, but it’s still nearly useless in modern attacks. This is NOT a new finding! We’ve known this for many years, and products have been out for at least 10 years to do whitelisting…but not many.

Again, industry professionals will say “but its hard to implement whitelisting!” And yeah, it can be. However, if you could turn back the clock now and prevent the execution of WannaCry by using the right tool for the job, I’m betting more-than-a-few people would be in line.

Another surprising fact: The AV companies you’ve heard of the most aren’t the ones creating whitelist-based antivirus.

Network Architecture.

I’m continually amazed by the number of computers that are directly exposed to the Internet, and the number of networks that allow all traffic to pass anywhere throughout a company (I’m really not surprised anymore). Proper network architecture dictates that you simply don’t allow any of this. A Windows terminal server exposed to the Internet without VPN first? A medical network where communications aren’t monitored or blocked between departments, or even cities? That’s unfortunately the norm…

The victims are not the organizations that have been hit by WannaCry, it’s their customers and patients. There’s a lot of talk about how this might be a wakeup call, and let’s hope so. I’m not so optimistic about that, but if you take nothing else away from this letter, know this:

This was preventable and those organizations compromised were simply asleep at the wheel.

Dr. Lee V. Mangold, CISSP
GoldSky Security, LLC