Friday, May 12 looked like a typical day for most folks as they went into work looking to finish off their day and head into the weekend. But as the day progressed, many organizations across the globe quickly realized that their TGIF was going to be spent dealing with a ransomware attack known as WannaCry.
Some have called WannaCry the biggest ransomware attack ever. The attack was prevalent across the globe and was seen infecting telecom networks in Spain and constraining hospitals in the United Kingdom, many of which had to move emergency patients to other sites for care. The malware even moved through enterprise networks and affected operational networks, forcing a car manufacturer to shut down a factory to deal with the incident.
So, what is WannaCry? This malware attack was primarily focused on systems running Windows XP, for which Microsoft ended support in 2014. Here’s what we know from our Cisco team over at Talos, which monitors global security threats:
“The malware…has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet.”
I highly recommend you read the full article here, which lays out advice for dealing with the threat, including what patches and ports to block.
Additionally, I recommend research articles on WannaCry at the following sites:
- Amanda Rousseau – WCRY/WANACRY Technical Analysis
- Malware Tech – How to Accidentally Stop a Global Cyber Attacks
Let’s look at ransomware by the numbers, according to Cisco’s annual cybersecurity report:
- Ransomware is considered to be the most profitable malware in history
- It’s growing at an annual rate of 350%
- The FBI estimates the annual global market to be around one billion dollars
The WannaCry attack only emphasizes the growth in ransomware, with the way it spread across a variety of industries.
Ransomware in Manufacturing: 5 Ways to Reduce Your Risk
For those in the manufacturing space, the exploitation of Windows XP has to be very concerning, as many manufacturers still use older platforms to support their operations, with the philosophy of “if it ain’t broke, don’t fix it.” However, as more legacy automation systems become connected, security has to become more top of mind.
To minimize impact when attacks like WannaCry occur, it’s vital to know what your critical systems and operational priorities are. In case an incident occurs, here are some best practices to enact now, to expedite your return to “business as usual”:
- Make sure you have good backups. If you do weekly backups, transition to daily; if you do daily backups, consider hourly or real-time coverage.
- Develop a good disaster recovery plan. Test and update the plan regularly as your business grows and changes.
- Carry out security awareness training. Identify all the people, processes, and tools necessary to handle a critical disruption or event. Perform drills to test these plans on a regular basis.
- Develop a comprehensive baseline of the applications, system images, information, and your normal running network performance to give visibility into changes. These actions set a standard for detection of unusual activity.
- Consider using standardized images of operating systems and desktops, to allow for easy re-imaging to recover infected infrastructure.
To learn more about ransomware and how to defend yourself against it, take a look at our Ransomware Defense eBook.
And for guidance in assessing risk and setting a security strategy, visit our interactive security experience for manufacturing.