WannaCry Ransomware Attack – It’s a Tragedy: What’s Next for Your Network?

“It’s a tragedy.” At least that is what we are told.  Time and time again, when bad things happen, we hear the same things replayed over and over again, or “what could we’ve done to prevent this,” or “we didn’t know.”  In life, this can be an honest reaction to certain things. Some things are left to powers way beyond our mortal control, but that doesn’t apply to the cyber world in this digital age. Exploits are a daily thing; this is not new.  There are more than forty new viruses created every sixty seconds, of every minute, of every hour, of every day.  The “I didn’t know” defense can only play out so long.

This was never truer than just this past week with the incredibly dynamic Ransomware attack – the WannaCry Exploit– in the UK and Spain. Here is what we know, some exploit kits that allegedly were created by certain government agencies was again allegedly stolen and leaked online to the masses. Some elements of these exploit kits were then leveraged in a new extremely aggressive form of Ransomware that leverages a worm-like attack against connected network machines through various read/write functions of the Windows Operating System.  This latest Ransomware variant was then set loose on the world, infected more than 200,000 systems in more than 100 countries, including several healthcare institutions in the United Kingdom, and even a couple of telecommunications companies in Spain. Guess what? It is certainly not the first exploit to leverage this form of attack, and it certainly will not be the last.

It has been for far too long that companies and institutions continue to treat cyber security like it is still the 1990’s. Back then, it was typical for network admins to simply deploy this new technology called a “firewall” behind their router, and then let it sit for months, even years, without so much as logging into the unit. They had no need to. If the unit was up, that was all that mattered. Perhaps they would log into add a new Access Rule or a VPN Policy, but for the masses that was it. It was a terrible practice then; today it a death sentence for the network, and maybe even the career.

Network admins need to alert their senior management, including those C-Level employees, and let them know that security is no longer a back-office job that is performed only when needed. Security has evolved. It is a front office task that demands daily attention. And guess what else? Sometimes that means that there is some heavy lifting involved.

Here is the basic truth: proper security procedures, training, and architecture prevent breaches. This starts with ensuring that all traffic is being inspected, including that pesky encrypted traffic. This can not be a half-baked solution that only inspects partial traffic flows, or has to rely on multiple endpoint clients to alert before identifying threats. Crossing one’s fingers and wishing for the best simply will not do. Only implementing an aggressively secure countermeasure to stop the aggressive advanced persistent threats will protect networks from malicious exploits.

Install a solution that delivers automated security updates, that is fully application aware, has built in intrusion prevention and anti-virus scanning, including encrypted traffic inspection. All of these features, including the fully integrated SonicWall Capture Threat Prevention – a multi-engine cloud-based sandbox for zero-day malware attacks, are included on the SonicWall UTM Appliance and next-generation firewalls. SonicWall customers and partners were protected on April 20, when the SonicWall Capture Labs Threat Network issued a signature for the WannaCry exploit.

Recently, I had the pleasure of sitting down with a business owner of a company that had been breached. It was a typical story. A user’s credentials had been compromised, and unauthorized access through an unprotected RDP session led to devastating consequences.  When questioned why a VPN front-end to the RDP session was not deployed, the response was that it was to many extra configurations to maintain.  When asked what about enabling a two-factor authentication solution to send a text message to users’ phones, the response was it was too complex. What if they forget their phone that day? Then when I am asked why there was a breach, I just WannaCry.

For more information, please read SonicWall’s Ransomware Review and Defeating the Encrypted Threat.
Protect More Fear Less

Rob Krug
Senior Security Solution Architect | SonicWall
Rob has been in the network engineering and security space for over 27 years and has been recognized as a past SonicWall Security Engineer of the Year. His background includes extensive work with telecommunications, network design and management, and network security. Specializing in security vulnerabilities, his background includes extensive training and experience in cryptography, ethical hacking and reverse engineering of malware. A Master CSSA, Rob has dozens of industry certifications and is also as a SonicWall Technical Master. He served in the United States Navy within Naval Intelligence, and also worked as both a data security analyst and director of engineering for multiple international service providers. Rob has designed, implemented and maintained some of the most complex and secure networks imaginable. And he collects malware for fun.
1 reply

Trackbacks & Pingbacks

  1. […] power of behavior-based security was clear with the initial WannaCry attack in 2017. It was made famous when 16 NHS hospitals in the UK were shut down due to this viral […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply