The WannaCry ransomware that infected devices worldwide should lead to changes in how organisations protect themselves from future infections.
Ransomware is the name given to software used to encrypt or ‘lock’ data files in the possession of another person for the purpose of holding that data to ransom. Essentially, it’s a form of extortion and a criminal act.
Ransomware is agnostic of the victim’s identity, location or business, making it as much of a threat to individuals using personal computers for domestic reasons as it is to a company, holding business records on a corporate network. It is manifested by the exploitation of flaws in computer programs and lapses in security on the part of the victim.
The particular strain of ransomware used to infect NHS bodies in the UK, and a reported 200,000 computers in 150 countries worldwide, appears to have targeted computers using an older and unsupported version of the Microsoft operating system; software for which the supplier is no longer producing fixes for security vulnerabilities identified subsequently.
An attack is typically distributed by relying on social engineering to impregnate the victim’s computer with the malicious software, often described as a virus. Once the software is executed it either replicates to infect other computers on the same network or encrypts the central business data store.
The use of strong encryption techniques effectively prevents the use of that data without either paying the ransom or reconfiguring the data from an uninfected source. Note that the unauthorised encryption of personal data may amount to a breach of data protection legislation.
Businesses that are at particular risk of a ransomware attack are those where operational access to data is critical, which is why the impact on the NHS has been disproportionately serious. However, ransomware attacks could also be perpetrated in respect of control systems or other critical process activities.
Software vendors will be quick to market solutions, but there are practical, low-cost steps that businesses or individuals can take to prevent or at least mitigate the threat. The Australian Signals
Directorate identified in 2010 that 85% of attacks involve unsophisticated techniques that could have been avoided by implementing four simple strategies: application whitelisting; general application patching; patching operating system vulnerabilities; and restricting administrative privileges to operating systems.
The use of social engineering means there is a need to change our cultural approach to privacy and confidentiality. Awareness training and testing is critical and should play a dynamic part in building business resilience.
Business resilience planning should include the retention of secondary data back-ups to enable safe restoration of data without risk of reinfection. It also plays an important part in obtaining the right insurance and enables businesses to meet their information obligations under the Insurance Act 2015.
Good IT hygiene is therefore the key to cyber resilience; using supported software, applying security patches promptly, staff awareness training, a business resilience plan and remaining diligent.
The “WannaCry” ransomware attack does not seem to have been motivated by financial gain or to have been disseminated by social engineering. Its rationale is yet to be determined, but this will affect how businesses should protect against future infections.