5 Biggest Takeaways From WannaCry Ransomware


This post was originally published here.

Global in scale, with across the board press coverage, the WannaCry ransomware attack has quickly gained a reputation as one of the worst cyber incidents in recent memory. Despite the scale, this attack relied on the same tried and true methods as other successful malware: find exposed ports on the Internet, and then exploit known software vulnerabilities. When put that way, the attack loses its mystique. But there’s still a lot we can learn from this incident, and we’ve summed up the five most important takeaways to keep in mind going forward.

1) This attack only struck exposed and outdated systems.

Before we start imagining an elite team of determined hackers, consider that the only systems affected were those lacking basic security configurations to prevent such attacks. The ransomware was spread by a technique called EternalBlue, which connects to exposed Microsoft SMB ports and attempts to exploit a known software vulnerability. But Microsoft SMB ports should never be open to the internet. It should be security 101 for anyone running a Microsoft data center– ports 135-139 and 445 are not safe to publicly expose and have not been for a decade or more. Furthermore, the specific vulnerability exploited was known, and Microsoft released a patch for it on March 14th. Only those without a reliable and timely update process lacked the update necessary to block the attack. Of course, no patch existed for Windows XP, but that’s because support for that OS has been discontinued for some time. Microsoft did release a special XP update in response to WannaCry, but only after the damage was done. Running XP or any other unsupported legacy software is a major enterprise problem for precisely this reason.

2) Global cyber resilience sucks.

The consequences of these simple, preventable misconfigurations have wreaked global havoc, with tens of thousands of systems in a hundred countries compromised by the attack. Here we begin to see the unequal scale of consequences that can occur from the simple exploitation of common flaws. However, these aren’t ultimately flaws in software or code or firewalls, but flaws in processes and priorities. The two most basic axioms for a Windows sysadmin are “don’t expose SMB to the internet” and “keep your systems patched.” If these most basic of all practices are this poorly executed across the globe, imagine how vulnerable we must be to truly advanced attacks.


3) The exploited delivery mechanism was developed by the NSA.

Speaking of advanced attacks, another important takeaway from WannaCry is that the delivery mechanism that made it possible, EternalBlue, was created by America’s own National Security Agency. Whatever you might think about a publicly-funded intelligence bureau practicing covert cyber warfare, the fact is that technology developed by such agencies can end up in the wild, and once the genie is out of the bottle, there’s no going back. From the famous Stuxnet attack in 2011 to EternalBlue today, digital weapons created by the state and the vulnerabilities they’re meant to exploit will likely be used by other parties eventually. Because the weapons and tactics developed by the NSA exploit the same software that we all use, the NSA is choosing to leave massive vulnerabilities unpatched and in the open, so that they can use them if necessary. But whether the NSA’s tech leaks, or someone else discovers the same flaw separately, open vulnerabilities will eventually find the people willing to exploit them for profit or power.

4) Don’t create ransomable assets.

When we consider what ransomware actually does, the question for the enterprise is, why can’t you just re-image the affected systems? An image is a snapshot of an entire computer system that can be deployed in minutes to restore that system to an expected state. There are only a few reasons ransomware works: either there is important data on the system that isn’t stored anywhere else, or the system performs a crucial business function AND there is no adequate process in place to restore that system to a working state. That’s really it: either your data is locked and/or you can’t rebuild the infected system. Here’s how to prevent that:

  • Don’t have a single point of failure for data corruption. Whether it’s ransomware, hardware failure, a database error, or cosmic rays, if your data is “important” then it should be backed up to at least one other secure location. How valuable is the data ransomed if you can access another copy of it at will?
  • Create a system (re-)provisioning process that is as automated as possible, so that if an asset is taken down by ransomware or anything else, it can be rebuilt in a working state as quickly as possible.

These two tactics completely defang ransomware, making it a minor nuisance instead of a costly disaster. However, they require change, organization, and prioritization on behalf of the business as a whole.

5) It’s not over.

This obviously won’t be the last such ransomware attack, but it’s not even the last attack of thisransomware. A version 2 of the ransomware has been seen in the wild, with one key difference from the original: it removed the domain-checking killswitch that actually stemmed the original attack. Like a super bacteria, WannaCry v2 has evolved into a more dangerous version of itself and promises to make the rounds once more. The real problem is that overall, cyber resilience practices need a major overhaul. Until organizations (and to some extent individuals) account for the risks of the technology upon which they rely, those risks will constantly hamstring their efforts on a massive scale, as we have seen with WannaCry.

What most enabled this outbreak to happen is unnecessary port exposure to the public internet. Exploits will always be found in software, but exposing access points to the public unnecessarily is completely preventable. No other single factor plays a larger, more easily preventable role in enabling events like this to occur.

This is exactly why we built UpGuard in the first place, to give the enterprise a way to assess, measure, and mitigate cyber risk. Consider this: among the many things UpGuard can do are validating open ports and verifying Windows patches. If a server gets deployed anywhere with port 445 open and missing two months of Windows updates, UpGuard tells you about it, before ransomware or some other attack takes advantage.

Monitoring port 445 with UpGuard

The crucial shift from the failures of traditional cybersecurity to cyber resilience depends on modifying your perspective from “protecting against attacks” to “building resilient assets and processes.” It’s the day to day operations, the practices, procedures, and processes used to build and maintain computer systems, that determine whether the next big attack will succeed or fail.