Despite halting the WannaCry ransomware attack Marcus Hutchins still considers it a strange dream to this dayA
ANALYSIS Five years ago today (May 12), a ransomware attack blamed on a North Korean hacking group hit computers running Microsoft Windows, encrypting data and demanding ransom payments in bitcoin.
WannaCry, the biggest ransomware attack in history, spread within days to more than 250,000 systems in 150 countries.
But a kill switch was discovered by British security researcher Marcus Hutchins, who inadvertently stopped the attack by registering a web domain found in the malware’s code.
Once the ransomware checked the URL and found that it was active, it was shut down – buying precious time and giving organizations breathing room to update their systems.
“It didn’t feel real and the reality never really set in. Still to this day, it feels like it was all a weird dream,” Hutchins tells The Daily Swig.
“It’s rare for such sophisticated exploits to fall into the wrong hands. Even to this day, nothing close to the severity of the exploit WannaCry used has surfaced.”
Five years on, though, and the effects of WannaCry are still apparent, with other attackers emboldened to act.
“Little did we know then that it was just the start of a rise in more sophisticated, widespread, and detrimental ransomware attacks,” says Joseph Carson, chief security scientist, and advisory CISO at Delinea.
“Since then, we have seen a steady stream of high-profile ransomware victims, along with a rise in the number of ransomware groups offering ransomware-as-a-service.”
Indeed, according to a recent report from Sophos, two-thirds of organizations surveyed were hit with ransomware in 2021, up from 37% in 2020, with almost half of those whose data was encrypted paying a ransom.
Even WannaCry itself is still on the loose and causing significant damage, with Trend Micro reporting that more than 5,500 cases were detected in each of the last three months of last year. Clearly, organizations are still failing to act.
“Given the significant coverage, both technical and high-level, much of the industry anticipated it would prompt organizations to take real defensive action,” says James Tamblin, president of BlueVoyant UK.
“Yet, over the past five years, we have witnessed ransomware actors use near-identical methodologies – and in many instances, identical tooling – to accomplish their objectives.”
There’s broad industry agreement that more needs to be done to defend against ransomware, with Carson urging organizations to take basic steps to protect themselves.
“One is segmentation, essentially putting in place technical guardrails that separate one business function from another. This minimizes the unchallenged propagation of malicious actors and malware,” he says.
“Another best practice is to identify all critical assets which are most commonly targets for attacks and perform frequent incremental backup in the event a system recovery is needed. Strong multi-factor authentication and privileged access controls are also obvious components.”
Meanwhile, he says, organizations should consider the least privileged approach to access, limited to only what is required for the job function or task.
But the general culture within infosec is also a factor in the continuing proliferation of ransomware, according to Ian Farquhar, field CTO at Gigamon.
“Instead of fostering industry-wide collaboration and enabling the transparency needed to tackle the complexity of ransomware attacks, the blame culture, with constant finger-pointing and criticism from the sidelines, is rife and on the rise,” he tells The Daily Swig.
“Infosec professionals are at breaking point, with 41% of IT security managers in the UK considering quitting. And with ransomware groups like Lapsus$ typically preying on disgruntled, stressed employees and offering financial incentives to enable intrusion, the industry needs to change fast.”