Tag Archives: WannaCry

Tony DePrato

Understanding Ransomeware

Leave a comment


                     By: Tony DePrato | Follow me on Twitter @tdeprato

On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages. This type of malicious attack is classified as ransomeware.

The ransomeware concept is fairly simple. Once the package infects a system, it begins to encrypt all the data. The data is still on the machine, but it is not accessible unless the user enters a decryption key. In order to obtain the key, money must be sent to the “owner” of the ransomeware. Usually this money is requested in the form of cryptocurrency, to make it difficult (if not impossible) to trace the payment.

Ransomeware Targets Everyone

Schools often believe that certain security measures and protocols followed in the corporate world do not apply to them. There is often a consensus on-campus that technology needs to be friendly and open. Because of this cultural approach to planning technology many rules and regulations are simply not followed, especially if those rules and regulations are designed for extreme scenarios.

For example, it would be odd to find a school that did not have user managed passwords for email. When users get their email account, they change and manage their own password. However, if someone recommends that school personnel setup multistep authentication, that expires every thirty days, that recommendation is probably going to be rejected. Any multistep authentication process requires that users learn more about security and manage security more regularly. If a user makes a mistake, the delay for resetting their services is often considered unacceptable.

IT policies and procedures that would prevent a school from being a victim of ransomeware, or other sophisticated attacks, are going to be policies that create barriers and limits. These measures would slow people down at times, and restrict certain types of technology from being used on-campus.

Managing network and data security is a discipline that must be followed regardless of an organizational mission or definition. Best practice scenarios need to be studied as universal best practice scenarios. Studying best practice scenarios for only a single type of organization (like a K-12 International School) limits exposure to case-studies, creative ideas, and threat assessment.

Ransomeware Prevention and Protection

Investing money and IT security planning have something in common. If a person makes a future decision, strictly on past performance, they are very likely to be investing in a plan that is expensive with lower future yield. IT security threats work because they are original, and because a purchasable defensive solution was not available at the time of the threat.

Many organizations make the mistake of preparing for the future by buying protection for a threat that is no longer unique.  This is useful if the threat resurfaces, but it is useless against new threats.

If an organization truly wants to be well prepared for ransomeware threats, everyone in the organization should be able to answer ‘Yes’ to this statement:

“I can take my laptop/desktop/primary device and throw it away right now without severely impacting my work or life.”

Answering ‘Yes’ to that statement means that a person understands the data  is more important than the machine is resides on. Just like investing in retirement, only diversification will save someone during a new and aggressive IT security threat.

There are numerous ways to achieve a high level of data diversity and redundancy. Here are a few that can be implemented with policy and practice:

  • The standard for file storage should be in the cloud.
  • Do not use SYNC software such as Google Drive Sync or OneDrive sync.
  • Laptops given to staff and students should have very small hard drives to discourage hoarding data and storing old files.
  • Weekly or Monthly archiving of data should not be in the same environment as data for daily work. For example, I use Google Drive everyday for work, but once a month I backup the important data to DropBox. The larger archives are for emergencies, and held within a different environment.
  • Offline backups on external drives are good, but hardware can fail. Consider what data is critical and make sure the offline backup is not the primary copy.
  • Systems like TimeMachine can actually corrupt data if they are backing-up automatically. Consider manually initiating backups, only after you have scanned your machine/servers for malware.
  • Photos and media can be challenging to keep organized in the cloud. Services like Google Photos, Instagram, etc. are designed for media. Use media centric services to manage media.
  • Email is not for data storage. If email is compromised, the communication threads should be all that is lost.
  • Schools using local network shared drives and NAS systems (Synology etc.) need to be restrictive and vigilant with permissions. If these services have been planned with “Ease of Use” as the driving force, they are at risk of being turned into an engine that will rapidly spread a threat.
  • Limit non-cloud based data sharing to special groups or departments to reduce the need to constantly update and patch these systems.

A final note to those who are making and enforcing policy. A single human vector who introduces one of these threats onto a network can create a cascade of destruction. Allowing anyone to circumvent a policy because of their title or position is placing everyone at risk.

WannaCry RansomeWare Impact
The ransomware campaign was unprecedented in scale according to Europol.[9] The attack affected many National Health Service hospitals in England and Scotland,[50] and up to 70,000 devices — including computers, MRI scanners, blood-storage refrigerators and theatre equipment — may have been affected.[51] On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.[12][52] In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.[46] NHS hospitals in Wales and Northern Ireland were unaffected by the attack.[10][12]
Nissan Motor Manufacturing UK in Tyne and Wear, one of Europe‘s most productive car manufacturing plants, halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.[53][54]
According to experts[who?] the attack’s impact could have been much worse if no kill-switch was built in by the malware’s creators.[55][56]
Cybersecurity expert Ori Eisen said that the attack appears to be “low-level” stuff, given the ransom demands of $300 and states that the same thing could be done to crucial infrastructure, like nuclear power plants, dams or railway systems.[57]
List of affected organization
São Paulo Court of Justice (Brazil)[58]
Vivo Telefônica Brasil) (Brazil)[58]
Lakeridge Health (Canada)[59]
PetroChina (China)[16]
Public Security Bureaus (China)[60]
Sun Yat-sen University (China)[61]
Instituto Nacional de Salud (Colombia)[62]
Renault (France)[63]
Deutsche Bahn (Germany)[64]
Telenor Hungary (Hungary)[65]
Andhra Pradesh Police (India)[66]
Dharmais Hospital (Indonesia)[61]
Harapan Kita Hospital (Indonesia)[61]
University of Milano-Bicocca (Italy)[67]
Q-Park (The Netherlands)[68]
Portugal Telecom (Portugal)[69]
Automobile Dacia (Romania)[70]
Ministry of Foreign Affairs (Romania)[71]
MegaFon (Russia)[72]
Ministry of Internal Affairs (Russia)[73]
Russian Railways (Russia)[74]
LATAM Airlines Group (Chile)[75]
Banco Bilbao Vizcaya Argentaria (Spain)[76]
Telefónica (Spain)[76]
Sandvik (Sweden)[61]
Garena Blade and Soul (Thailand)[77]
National Health Service (England) (United Kingdom)[78][12][10]
NHS Scotland (United Kingdom)[12][10]
Nissan UK (United Kingdom)[78]
FedEx (United States)[79]
Massachusetts Institute of Technology (United States)
Saudi Telecom (Saudi Arabia)[80]