WannaCry ransomware attack – Lessons Learned
On May 12th hundreds of thousands of people (and machines) woke up to this screen informing them that their files “have been encrypted”. And over the next week, we learned that the WannaCry ransomware attack had the potential to be extremely damaging to multiple industries. At last count, the ransomware was found in over 150 countries and infested over 300,000 computers across 100,000 businesses in multiple industries including retail, manufacturing, transportation, healthcare, finance. This wasn’t just about healthcare.
What did we learn from this attack?
I spoke to customers and partners after the attack. Some, rightly so, are very concerned about the next attack and even saw this as a “practice run”. This attack taught us a few lessons that we need to proactively address. The cyberworld was fortunate that the “kill switch” was accidently found. But, we can be better prepared. Here are a few of my observations and recommendations:
- The advice to not pay ransomware resonated and the bitcoin wallets linked to the ransomware showed less than $60,000 paid out of a potential $30M+ (if ~30% of the 300,000 of the infested machines had paid the ransom). This first lesson learned is just good practice and with proper planning organizations can recover from cyberattacks without paying ransom. Organizations must make recovering from a cyberattack part of their business continuity and recovery plan.
- A key component of an organization’s ability to digitally transform is the adoption and use of modern technology that also provides better protection in today’s cyberworld. Unsupported and unpatched software is extremely vulnerable and there are still almost 200,000 PCs running XP in the United States and thousands more around the world, we must work to reduce that number.
- The Server Message Block (SMB – used for providing shared access to files, printers, and serial ports) was exploited in unpatched systems. While this was a Windows based attack, SMB is used by MAC OS and Linux/Unix and are also vulnerable. Machines with modern operating systems and protection, such as Windows 10 with update enabled, were protected.
- The SMB exploit enabled a growing threat called “Lateral Movement” enabling the ransomware to self-propagate across machines. This is a critical lesson learned as it’s no longer just about protecting sensitive electronic protected health information (ePHI) data on a few machines. Organizations must adopt a holistic cybersecurity and risk mitigation plan and cannot exclude older equipment with the excuse that “…it doesn’t store ePHI so it’s ok…” Additionally, modern file sharing and cloud storage services such as OneDrive were not affected by the SMB exploit. Microsoft’s cybersecurity, risk assessment, and digital services teams can help find and identify these vulnerabilities along with helping organizations build their “Digital Services Roadmap”.
- Privileged accounts, administrator accounts, and end point ports must be secured, managed and protected from untrusted systems – “Zero Trust” continues to be a focus. Solutions such as Operations Management Suite along with services and solutions from our partners such as Lumen21, Silect, Barracuda, TrendMicro, and others. can help customers address this need.
- Endpoint protection coupled with identity and security management is absolutely a must-have along with a layered security (security in depth) approach to proactively defend against future attacks. While having various solution components in place is helpful, it has become more critical to leverage integrated solution suites that provide broader protection.
- Organizations must practice cybersecurity incident recovery. We learned that organizations that were prepared recovered quickly from this attack (or completely avoided it). Those that were not prepared lost productivity and put patients at risk. Microsoft’s Cybersecurity Incident Recovery guidance and Cybersecurity services offerings are designed to support help customers prepare for and recover from cyberattacks such as this one.
For more information on Microsoft’s and our partners’ solution and service offerings to modernize and fortify a covered entities cybersecurity, privacy, and compliance posture please download our Cybersecurity in Health e-book.