Country

Security Blog

New-Age Ransomware: Where does WannaCry 2.0 lead to and which 3 IT security strategies can help effectively?

Various types of malware that restrict access to user data or entire systems have been known since the late 90s. However, this malware could develop into today's dreaded ransomware only through various improvements and combinations. On the one hand, the high CPU performance of current systems for the execution of encryption algorithms contributed to this, and on the other hand, the possibility of the almost anonymous payment option by the block chain is conducive to the fact that the previously mostly sporadic malware has become a real booming business. The first massive increase in this development took place at the end of 2014. Today, all of them are based on the "Cryptolocker" malware model. While these variants were developed in small steps but continuously until 2017, the basic pattern of distribution and infection was always very similar. Basically, what was necessary was the "support" of a person, who had to be convinced to click on a link or to execute an attachment.

The next evolutionary step was taken in May 2017: a Ransomware, which, combined with a self-distributing mechanism, was spread completely independently from one computer to the next. WannaCry exploited the recently discovered security holes in Windows systems to spread independently across entire networks - and without any user intervention. Suddenly, many previously autonomous systems were also seriously threatened and affected by this malware. These included, for example, various control systems of railway operators, shipping companies or hospitals. The new-age ransomware, which is now combined with cryptolocker and worm malware characteristics, was born.

While the next massive wave of this new development took place in June in the form of "NotPetya", the information society has been spared from further major outbreaks since then. It might be a little daring to talk about calm before the storm. The enormous damage potential that is imaginable in such scenarios seems immense. But what changes and adjustments can be applied to prepare for possible further developments? At the time of entry it is usually too late.

The following 3 strategies promise a fundamental preparation and minimization of negative effects against further evolutionary steps of this malware:

  • Software updates and Patching

WannaCry pointed it out. While the patches for the exploited software gaps were already available in March, many companies have not managed to introduce them to their productive systems in time. So, not earlier than May 2017 WannaCry was able to spread between many systems. For a secure operation of a live system, a fast patch management must also be available, which enables organizations to react efficiently and promptly to various incidents. The risk of old, longer not updated systems should also be made visible - gaps in the software are also likely in these systems, but these can then no longer be repaired.

  • Responsible dealing with zero-day threats

The found vulnerabilities should not be withheld from the public. Possible vulnerability carries the risk of being discovered by "another" party and exploitable to the detriment of many. Whether governments or other companies: Any security gaps which are found must be communicated transparent. Organizations that develop software should handle possible errors and their elimination responsibly and create the necessary preparations and processes for this.

  • Comprehensive preparations for IT security emergencies

Based on current developments, it is no longer a question of whether something will happen, but only when. Companies need to rethink the IT security culture, which realistically deals with possible incidents. Security gaps and updates now appear almost daily and are almost impossible to be tracked. Coordinated IT risk management and appropriate measures are now irreplaceable. This includes essential basics, such as the 20 CIS controls, but also individual efforts and a comprehensive daily security operation. It is about understanding how accurately; different developments can affect your company. In order to maintain IT security, fundamental optimizations of the operation of systems and processes are also required, e.g. in order to roll out faster software updates. Furthermore, damage minimisation considerations are appropriate: every larger building must have different fire compartments. How are your network and the entire server and application landscape structured? Different zones and segments are to be implemented in order to get at least rough lateral effects under control.

Developments in various IT technologies are continually progressing. WannaCry has shown that even ransomware does not stand still and that new, perhaps unexpected stages of evolution can appear. Adapted preparation with the necessary predictable procedures and optimisations will be decisive in determining how big the impact with the next waves can be.

 

 

© 2019 IKARUS Security Software GmbH