Financial Services Ireland

Article

WannaCry: The latest evolution of Ransomware

What it is and how you can combat it.

Read more


While the reporting of cyber crime events in the media has seen a marked increase in the last 5 years, the latest Ransomware incident titled WannaCry, has generated unprecedented levels of coverage. This I imagine, is not out of the ordinary when you consider the impact it has had on 200,000 victims worldwide from it’s first detection on Friday afternoon just gone (12 May 2017) .  In this time it has virtually spread from nothing in a matter of hours to disrupt significant operations like: the NHS in the UK Spain’s Telefonica, Fedex as well as many other governmental agencies and businesses across over a hundred countries.

Ransomware isn’t new  – as lots of financially motivated cyber criminals have been using it to extort relatively small amounts of money from victims over the last 5 years – however, WannaCry does herald the next significant phase in this form of attack. And as technology evolves, Cyber criminals are constantly refining their methods so as to create ever-more effective ways of monetising the flaws in computers’ software, and more often this is interfering with data integrity rather than compromising its confidentiality.

So why such a stir over WannaCry?

  1. Humble beginnings. Initial WannaCry infections seem to happen in a similar way as typical ransomware, where a victim clicks on a malicious link or executable in a phishing-style email that compromises their own computer. From here the ransomware encrypts documents on that specific computer and ones that user can access over a Windows network.
  2. Spreads like wildfire. However, WannaCry then spreads much more aggressively to other computers over the network without requiring further interaction from users. In this way it is more like self-propagating malware (commonly known as ‘worms’), which makes it a far bigger issue for companies and other organisations who rely on large networks of interconnected systems (as opposed to personal/home users whose networks are smaller and who can patch more easily).
  3. Secret weapon. Software flaws are nothing new either, but the one that WannaCry exploits to spread itself is inherently fascinating in that it is reported as being part of a nation state security service’s arsenal of cyber-weapons, which was not publicly known until it was apparently captured and disclosed by a different nation state. Prior to this, the suggestion is that the flaw had been covertly used to compromise computers and carry out surveillance on high value targets for national security purposes.
  4. A patch in time. Microsoft had already released a patch for the vulnerability back in March so in theory, if everyone was able to apply patches to their Windows computers in a reasonable timeframe (4-6 weeks), WannaCry would have been a damp squib. However, the reality is that many people and organisations either don’t or can’t – the reasons vary from operational constraints, lack of budget, lack of asset tracking, or just lack of awareness.
  5. Self-destruct button. This version of WannaCry had a built-in ‘kill switch’ in the form of a check at initial infection time for an odd-looking Internet domain name – if this was detected, the malware went dormant and didn’t spread itself further.
  6. Recovery steps. Like all ransomware, WannaCry tells you your files are encrypted and demands a ransom payment for the key to unlock them again. It’s not clear yet whether there is a way to get your files back without paying, but it seems unlikely given recent trends. So reinstalling the computer operating system and restoring your data from backups is the main recovery measure for now.
  7. Aftermath. Despite the widespread disruption caused, WannaCry’s creators appear to have only gathered around $30,000 in Bitcoin (anonymous cryptocurrency) payments since Friday … however costs from the damage caused will run to orders of magnitude more. It remains to be seen that having attracted such attention, whether the authors can remain anonymous and beyond the reach of international legal authorities.
  8. So what now? It’s highly likely that WannaCry will be modified either by its authors or other cybercriminals and it will be unleashed again. The world will never be the same again in that we can now expect other ransomware to be able to spread without user interaction from one initially infected computer to others.

The advice on how to protect yourself remains the same as ever:

  • Stay up-to-date with vendor fixes for whatever software you are using by applying patches regularly
  • Make regular backups of your important data, store them safely and test that they work
  • Learn to recognise phishing emails: don’t click on web links or open attachments contained in them
  • Use a firewall to keep your computer protected from the Internet
  • Ensure your Microsoft Windows account is a user-level account, not a privileged administrator one
  • Disable any features or network services you don’t need on your computer

For more content from the EY Ireland team, visit our YouTube channel.

Hugh Callaghan

Associate Partner, Cyber
Hugh's Full Profile