It didn’t have to happen.
That’s the simple yet profound lesson from WannaCry’s ransomware rampage that has infected 300,000-plus systems in more than 150 countries, disrupting critical operations across industries, including healthcare, government, transportation and finance.
If vulnerable systems had been patched and maintained as part of a proactive and comprehensive system configuration and vulnerability management program, the attack would have been a dud, barely registering on anyone’s InfoSec radar.
“WannaCry was totally preventable with the proper patching and the proper build configurations,” Mark Butler, Qualys’ Chief Information Security Officer (CISO), said during a webcast this week. “That’s a reminder to all of us that you didn’t have to be a victim.”
There are various workarounds for mitigating the underlying WannaCry vulnerability, but those are stopgap measures. “The primary way to remediate this vulnerability is through disciplined and timely patching,” Qualys Product Management Director Jimmy Graham said during the webcast, titled “How to Rapidly Identify Assets at Risk to WannaCry Ransomware.”
How WannaCry Created a River of Tears
The WannaCry ransomware — formal name WanaCrypt0r 2.0 — spreads using an exploit called EternalBlue for a Windows OS vulnerability that Microsoft patched in March.
The vulnerability, in Windows’ SMB (Server Message Block) protocol and described in security bulletin MS17-010, was rated “Critical” at the time by Microsoft due to the potential for attackers to execute remote code in affected systems.
The EternalBlue exploit was developed by the U.S. government’s NSA (National Security Agency) and stolen by the Shadow Brokers hacker group, which released it along with many other NSA exploits in April.
By combining the instant disruption of ransomware — encrypting files on affected systems — with a worm’s agility to spread quickly and laterally, WannaCry unleashed the mayhem that began on Friday.
“This was a very widely deployed campaign and it happened relatively quickly,” Butler said. “We’ll see more of this type of attack patterns.”
Already, a new version of WannaCry has been released that, unlike the first one, isn’t susceptible to a “kill switch” domain, and other ransomware like Uiwix, has started using the exploit.
Best practices against WannaCry-type threats
During the webcast, Butler and Graham outlined several takeaways for InfoSec teams from WannaCry, including:
- Use integrated security solutions that give organizations complete visibility across all their IT assets, wherever they reside: on premises, in cloud instances or mobile endpoints.
“Visibility is an absolutely fundamental requirement,” Butler said.
Key to compiling a complete IT asset inventory is using both network based scanners and system agents.
Scanning is great for giving organizations total coverage of their internal environment, but agents provide additional helpful data and are important for systems like workstations, especially if they’re laptops that are intermittently connected to the network, Graham said.
- Have a continuous, comprehensive vulnerability management program that allows organizations to promptly detect configurations susceptible to attack, as well as software bugs, and that then lets them prioritize remediation, so the most critical issues get patched or mitigated immediately.
At this point, Qualys’ internal data shows that 47.3% of Windows hosts are still unpatched and almost 6% of detected Windows installations are unsupported – or “end of life” – versions. “That’s positive progress, but there is still work to do,” Butler said.
- Become more agile and fast to match the speed of hackers, because organizations’ traditional 30-day vulnerability scan cycles no longer cut it.
“We’ll need to move to a faster response capability,” Butler said.
- Proactively review legacy systems and embedded OSes that can’t be automatically scanned and where an agent can’t be installed, and patch or mitigate them manually.
- Use a solid, tested process, have data backed up and stored in different locations, as well as a detailed disaster recovery plan, in case your systems get infected with ransomware.
“If, for whatever reason, there is an exploit that gets in and you have systems that are taken advantage of and compromised, what’s your recovery plan?” Butler said.
How Qualys Can Help
Qualys has added a full set of QIDs and capabilities for dealing with this situation, dating back to March when Microsoft issued its first patch for the Windows SMB vulnerability (QID 91345), as well as for the EternalBlue exploit and for the emergency Microsoft patch for unsupported Windows versions. More detailed information can be found here:
With Qualys’ AssetView, Vulnerability Management and ThreatPROTECT, organizations can generate a complete IT asset inventory — all hardware and software on premises, in the cloud and mobile endpoints — continuously detect their vulnerabilities using scanners and agents, and help continually prioritize remediation.
All IT and security data is stored and analyzed in the highly-scalable, centrally-managed Qualys Cloud Platform, and is accessible via a robust search engine, can be visualized via customizable dashboards and widgets, and shared through reports tailored for different stakeholders.
Listen to the webcast to get in-depth explanations about the WannaCry attacks, learn best practices for prevention and response, and find out how AssetView, VM and ThreatPROTECT keep your organization safe from this and other cyber threats.