Lessons learned from the latest ransomware attacks - there's more to come
FYI, this story is more than a year old
An assessment by Dominik Lehr, founder and CEO of communication solutions provider Befine Solutions AG
According to Europol, Europe needs to prepare itself for a large increase in the number of cyber-attacks.
As it said in its annual report, the threat of Internet-based organised crime has reached an “unprecedented scale” and ransomware has put all the other threat types in the shade. The “peak” up to now has been the WannaCry attack in May, in which over 300,000 computers in about 150 countries were infected.
Victims included companies in the logistics, telecommunications and healthcare sectors. For example, there were significant disruptions to medical care in Britain, while in Germany display panels and ticket machines in stations stopped working.
The vulnerability of our digital infrastructure could hardly be more obvious. It is striking that systems in critical infrastructure are often those that become infected. But here, more than anywhere, it is difficult for the affected companies to respond to the constant demands to update their software. What we need instead is a change of perspective - focusing less on IT and more on the communication processes that dominate in so many companies and public authorities.
Soon after WannaCry, Petya was the next attack that paralysed companies and public authorities around the world. The victims included banks, utility firms, airports, rail companies, shipping firms, food manufacturers, media organisations and even the Chernobyl nuclear power station.
It was caused by a ransomware version that had already been discovered last year and apparently used the same security flaw in older versions of Windows as WannaCry did. At the end of August, the parliament in the German state of Saxony-Anhalt was the victim of a ransomware attack too. Its IT and communication systems had to be shut down and all necessary documents had to be handed out to the members of parliament in paper form.
In these cases, people are all too quick to draw conclusions and make demands. This includes calls to update software and programs immediately. It is true that patching security flaws is generally seen as the first and most effective protection mechanism. The use of security solutions and regular backups should be self-evident anyway even to the most hard pressed IT team. The EU General Data Protection Regulation, which becomes enforceable in May 2018, refers to “appropriate protection” - but what is appropriate?
Taking warnings seriously
Many companies and public authorities are still using operating systems and software programs that have not been supported by the manufacturer for a long time and therefore no longer receive any updates. The patch to plug the WannaCry hole had actually been available for just under two months, but in practice many companies take over 100 days to apply these updates. Although this may seem negligent at first sight, there are often good reasons to delay. Things are not always as easy as they seem on face value.
There are many industries and segments whose computers cannot just be “quickly shut down” and restarted - just like those affected by the attacks mentioned above. Users, whether they are at work or on their home computer, are familiar with the problem too. Updates take time and can be annoying, especially if there are problems once the patches have been installed. It is good practice for IT managers in companies to place a lot of importance on testing patches before installing them.
This is why it is necessary to take a different perspective with less of a focus on IT and more focus on the types of communication processes and practices that dominate in so many companies and public authorities. They are part of the problem and make certain areas more vulnerable to attack.
In the Saxony-Anhalt case, for example, a parliament worker activated the malware when he opened an email attachment. He thought he had previously forwarded the mail to himself because his own name was shown as being the sender. The healthcare sector, which has also hit the headlines several times due to ransomware attacks, has its own set of idiosyncrasies such as macros in Office programs that are widely used in hospitals.
But there is some good news. There is just one small area where companies and public authorities need to handle processes differently, enabling them to close loopholes and increase their level of protection ensuring that incoming emails cannot unleash a vicious circle of threats.
All it needs is one simple measure that is fast to implement: changing internal workflows and using the appropriate solutions that ensure that predefined file types cannot come in via email in the first place. Instead, companies can receive their emails via their own web application. That way, bots have no chance of spreading malicious code due to the existing authentication measures. With several security levels, the solution makes life more difficult for the attackers, who want to infect as many computers as possible as anonymously as possible.
One last thing, like others, we also recommend not paying ransoms. Firstly, it is questionable whether the victims will be able to access all their data again once they have paid the ransom. And secondly, it just confirms to cyber-criminals that their business model works well and they will receive additional financial support. Instead, anyone affected should involve the police immediately.