Unpacking the WannaCry Aftershock

Unpacking the WannaCry Aftershock

October 2, 2019

Sophos Senior Director ASEAN and Korea Sumit Bansal discusses the spate of cyberattacks targeting Sephora, Foodpanda and Ikea and the WannaCry fallout two years on.

By Sumit Bansal

Sophos  recently published its WannaCry Aftershock, a report on what happened to the infamous WannaCry malware, following the worldwide attack that began on May 12, 2017.

Our research suggests that the WannaCry threat remains rampant, with millions of infection attempts stopped every month, and that while the original malware has not been updated, many thousands of short-lived variants are in the wild.

According to our report, in August 2019, 4.3 million WannaCry infection attempts were stopped worldwide by Sophos-protected endpoints. India ranked second (behind the US) with 8.8 percent of the attempts, followed by Indonesia in fifth (6.8 percent) and the Philippines (5.8 percent) seventh. Singapore ranks ninth, ahead of China, which is ranked 10th, contributing to 3.5 percent of the WannaCry attempts stopped by Sophos-protected endpoints in August 2019.

The continued existence of the WannaCry threat is largely due to the ability of these new variants to bypass the ‘kill switch.’ However, when Sophos researchers analysed and executed a number of variant samples, they found that their ability to encrypt data was neutralised as a result of code corruption.

Because of the way in which WannaCry infects new victims – checking to see if a computer is already infected and, if so moving on to another target – infection by an inert version of the malware effectively protects the device from being infected with the active strain. In short, new variants of the malware act as an accidental vaccine, offering still unpatched and vulnerable computers a sort of immunity from subsequent attack by the same malware.

However, the very fact that these computers could be infected in the first place suggests the patch against the main exploit used in the WannaCry attacks has not been installed – a patch that was released more than two years ago.

The original WannaCry malware was detected just 40 times and since then SophosLabs researchers have identified 12,480 variants of the original code. Closer inspection of more than 2,700 samples (accounting for 98 per cent of the detections) revealed they had all evolved to bypass the ‘kill switch’ – a specific URL that, if the malware connects to it, automatically ends the infection process – and all had a corrupted ransomware component and were unable to encrypt data.

Sophos researchers have also traced the first appearance of today’s most widespread corrupted variant back to just two days after the original attack: May 14, 2017, when it was uploaded to VirusTotal, but had not yet been seen in the wild.

In a separate report, The Future of Cybersecurity in Asia Pacific and Japan – Culture, Efficiency, Awareness, we spoke to a cross-section of firms in Singapore, Malaysia, the Philippines, Australia, India, and Japan to assess their cybersecurity readiness for the next two years. We found there is still a great deal to be done.

At present, companies are too focused on patching up short-term problems. However, the success of an organisation’s cybersecurity investment lies in more than technology adoption.

Overall, businesses across the region should focus on a top-down approach by investing in and creating a strong security culture, educating employees and establishing a path-to-purchase to ensure robust cybersecurity capabilities to protect against today’s continually evolving threat landscape.

While Singapore has a high level of cybersecurity maturity, the highly publicised attacks on well-known companies in Singapore are not surprising when you consider more than a quarter of organisations in the country have reported security breaches in the past 12 months. With a figure this high, something is definitely amiss.

Furthermore, according to the 100 business decision makers in Singapore, the most serious attacks they face come from ransomware, artificial intelligence and machine learning, and even attacks carried out by malicious employees.

Budgetary constraints

Across the Asia Pacific region, some trends stood out that explained the discrepancy between perceived and actual cybersecurity maturity levels. Specific to Singapore, a main problem is that less than half (46 per cent) of the organisations do not have a dedicated cybersecurity team that can effectively detect, investigate and respond to threats.

Many companies are unable to take necessary action due to lack of budget, shortage of talent, and the difficulty of staying up to date with cybersecurity issues. Indeed, only a third of organisations have a dedicated cybersecurity budget and, in most cases, cybersecurity is included under the overall IT budget. All these indicate that much more work is required to improve security posture across the board.

Beyond the tech

The cybersecurity journey is constantly changing. Even though organisations recognise that technology will play a critical role in their organisation’s security in the next 24 months, many still face frustrations in educating employees and leadership, securing budget to hire skilled employees and to spend on effective technology solutions, and the lack of focus on security by management.

To address these issues, we need to look beyond just technology. Education employees and management on cybersecurity should be a priority for every organisation regardless of size or industry.

Around half of the incidents reported are caused by internal employees and partners, whether deliberate or accidental. As a result, employees should be encouraged to take part in cybersecurity training courses, which could also be incentivised by rewards or enhanced with gamification to boost engagement and improve understanding.

Companies also need to nurture a culture of awareness about cybersecurity threats and issues, and to ensure that everyone buys in. This is not a quick fix. Fundamentally changing company culture takes time and, for it to be truly effective, all stakeholders must embrace the new culture and values. This includes everyone from the CEO to the latest graduate new-hire. Over the long term, however, putting cybersecurity at the core of a firm’s culture by making it a central pillar of the employee value proposition, or through compelling internal communication campaigns, will instil greater awareness, reduce incidents and save resources (and reputation!)

The future of security

Overcoming these challenges won’t be easy. Today’s cybersecurity teams must be proactive in their response to cyberthreats. This requires having both technical tools and non-technical skills. Put simply, companies in Singapore need the right resources to keep pace with the number, regularity and sophistication of cyberthreats.

The WannaCry outbreak of 2017 changed the threat landscape forever. The current security reality is that without improved efficiency and effectiveness of cybersecurity investments, organisations will continue to slip into a downward spiral of chasing quick-fixes for new threats. Companies will experience sub-optimal results for spending and struggle to be proactive, rather than repeatedly reacting to incidents and breaches.

How to protect against WannaCry malware and ransomware in general

  • Check that you have a full inventory of all devices connected to your network and that they are all up to date in terms of their security software
  • Always install the latest patches as soon as they are released on all the devices on your network
  • Verify if your computers are patched against the EternalBlue exploit used in WannaCry by following these instructions: How to Verify if a Machine is Vulnerable to EternalBlue – MS17-010
  • Keep regular backups of your most important and current data on an offline storage device as the best way to avoid having to pay a ransom when affected by ransomware
  • There is no silver bullet to security, and a layered security model is the best practice all businesses need to implement
  • For example, Sophos Intercept X employs a comprehensive defense-in-depth approach to endpoint protection, combining multiple leading next-gen techniques to deliver malware detection, exploit protection and built-in endpoint detection and response (EDR).

Leave a Reply

Your email address will not be published. Required fields are marked *