How to Prepare for 'WannaCry 2.0'

It seems inevitable that a more-powerful follow-up to last year's malware attack will hit sooner or later. You'd better get prepared.

Shimon Oren, Head of Cyber Intelligence at Deep Instinct

June 19, 2018

5 Min Read

More than a year after it first struck, WannaCry is still one of the most damaging cyberattacks to date. It cost the global economy billions of dollars, although the impact goes far beyond the money.

Although companies incurred substantial monetary damages, WannaCry is the clearest example of the physical impact a malware attack can have on critical infrastructure, such as rail systems and hospitals. This can be the case even when the attack does not target or operate on industrial control systems, medical, or Internet of Things devices. WannaCry was "standard" malware aimed at Windows machines. And yet, it affected day-to-day life by preventing employees from getting to work and patients from receiving uninterrupted medical care.

It's important to understand the longer-term effects of WannaCry on the cyber ecosystem, and what security professionals should be aware of, because we'll likely see "WannaCry 2.0" at some point.

As things stand now, we're currently in the phase of "WannaCry 1.5," which is not causing the same level of damage but is still cause for concern. Every day, mutations (some minimal, others significant) of WannaCry appear and are used by ransom-hungry hacking groups. However, as malware becomes more sophisticated, there is an increased chance that a WannaCry 2.0 will become real. The underlying factors that enabled WannaCry to become so successful to its creators are still relevant:

  • Patching: Organizations are not implementing patching cycles in a timely manner. For example, a patch for EternalBlue was available in March 2017, but WannaCry was still able to infiltrate systems two months later, in May 2017, because of the delayed patching by organizations.

  • Hacker persistence: Zero-day and one-day vulnerabilities are still appearing and being used in the wild. Hackers, including independent and nation-state groups, are looking for the right opportunity to spread a ransomware strain that could have the same (or better) lateral movement capabilities as WannaCry.

This type of looming cyber threat is the "new normal" in today's world, but it's important to understand how we got here, where we are now, and what we can do to better protect against such threats in the future.

Industry and Public Pressure on Government Agencies
The long-term effects of WannaCry are still being felt by many organizations, and it has been a cause for debate both at the enterprise and government level. Industry and public pressure is being put on government agencies, and for good reason. Government agencies have been, for several years now, part of the cyber ecosystem. They no longer enjoy the luxury of public and economic indifference to their cyber-related research and operations, as was the case in the late 1990s and early 2000s. They need to opt for responsible disclosures of vulnerabilities in a way that balances national security interests on the one hand and keeping cyberspace as safe as possible for individuals and corporations on the other. If exploits and vulnerabilities are not in use, or are not needed, they should be disclosed before being discovered or leaked.

Government agencies that discover vulnerabilities must prevent them from leaking and keep them in the hands of the good guys. Secondly, agencies must be timelier in their disclosures. If a vulnerability or an exploit cannot (or can no longer) be leveraged to provide a tangible contribution to national security interests, it should be disclosed. The case should be the same with vulnerabilities that are extremely severe and easily exploitable. If those are leaked or discovered by hackers, the effect could be catastrophic. When surveying the NSA/CIA leaks in the past year or so, it is obvious that some vulnerabilities discovered were held for a long time, and were most likely not used. 

To change this current culture, government agencies must adopt clear policies. Of course, they do not have to disclose everything for the sake of national security, but they must own their faults in order to fix the problem.

Unfortunately, code and capabilities leaked from government agencies are continuously trickling down to everyday malware attacks — WannaCry and EternalBlue, for example. We are seeing malware strains from leaked code happening more frequently and at an expedited pace. Leaked exploits are always a hit in Dark Web hacking forums and find their way even to crypto-miners such as Monero. Attacks will become more sophisticated over time, which puts added pressure on enterprises to implement a strong cyber defense plan.

Implications for the Enterprise
Vulnerabilities are being disclosed on a daily basis, and many enterprises are overwhelmed and cannot patch at the fast pace that's required. This issue keeps many IT professionals and C-level executives up at night as hacker groups look to execute exploits at a mass scale to target employees, customers, and stakeholders.

To help mitigate some of this risk, security professionals within the enterprise must keep the following in mind:

  • Understand vulnerability databases: IT and security professionals need to take the time to understand vulnerabilities and assess how they will affect the company. Conducting a thorough risk factor assessment to verify how fast and serious the threat is will help inform and decide what the next action should be and the appropriate timeline for execution.

  • Out-of-the-ordinary workflow: Timely patching can be a huge burden on an organization, so think of new ways to streamline patching and update systems accordingly. Whether that means dedicating a small team to solely focus on patching or using solutions powered by artificial intelligence to help detect the vulnerabilities. This will leave executives more time to dissect, patch, and properly respond to the threat.

It's just a matter of time until WannaCry 2.0 is here, so understanding the cause of such an attack and having the right processes in place will be crucial for businesses to protect their assets.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

About the Author(s)

Shimon Oren

Head of Cyber Intelligence at Deep Instinct

Shimon Oren is an experienced cybersecurity professional focused on threat intelligence and process management, and is responsible for leading change processes and organizational transformations. Prior to this role, Shimon worked for the Israel Defense Forces as head of their cyber research branch.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights