Patching and Vulnerability Management May Save You Millions
by Robert Bond
Experts Say Ransomware Will Get Worse This Year
Ponemon Institute estimates that 38% of public-sector organizations will suffer a ransomware attack this year
Over the past year there have been dozens of high-profile cyber-attacks that rapidly spread across the globe and cost organizations hundreds of millions of dollars in damages. These ransomware attacks infected private networks and encrypted both systems and files and demanded a ransom payment to decrypt the victim’s data. Major attacks included the WannaCry attack in May 2017 and the NotPetya attack a month later. Experts think this trend is likely to continue, as criminals develop ransomware-as-a-service offerings that outsource development and payment management and make it easier than ever to launch a malicious attack. Attacks are even becoming more dangerous; unlike the spray-and-pray tactic used in the past, attackers are now assessing vulnerable networks to maximize infections to ensure that the ransomware can be set to spread across the network once the hackers activate the attack.
WannaCry Attack Caused Global Devastation and $53 Billion in Damages
The WannaCry attack devastated organizations around the globe in May 2017, combining a government-level hacking tool with criminal ransomware in the perfect storm of criminal malware. By exploiting the Microsoft Windows Server Message Block (SMB) protocol into executing arbitrary code (an exploit developed by the U.S. National Security Agency, known as EternalBlue) – WannaCry easily infected organizations that had not implemented the patch released by Microsoft two months earlier. The malware then encrypted files on the system’s hard drive, making them impossible for users to access. Ultimately, the criminals demanded a ransom payment in bitcoin in order to decrypt the files. The attack caused system outages across the globe and business costs exceeded $53 billion in one recent estimate by Lloyd’s of London.
NotPetya Cyberattack Hits FedEx, Merck, and Others for $100s of Millions
The NotPetya cyberattack hit in June of 2017, containing a combined ransomware and wiper software that destroyed data and invaded corporate networks. The wiper element of the attack made recovery especially difficult. Attributed by U.S. and U.K. officials to actors sponsored by the Russian government, NotPetya illustrates how cyber warfare between nations can spillover and impact businesses around the globe. Both FedEx and Merck reported being especially hard hit; technology cleanup, disrupted business, and lost sales cost the company’s $400 million and $670 million respectively.
NotPetya used the EternalBlue exploit in the SMB service earlier used by WannaCry to penetrate corporate networks. After the initial infection, the malware is capable of a wide variety of malicious activities, including credential theft, token impersonation, propagation through SMB copy and remote execution, MFT encryption, and file encryption. The initial outbreak has been attributed to a hacked version of an accounting program widely used in Ukraine, the target of the Russian attack. While EternalBlue was patched by Microsoft on March 14 – three months before the first NotPetya outbreak. Effective vulnerability management and patching could have saved companies like FedEx and Merck hundreds of millions of dollars.
Public Entities Not Immune to Ransomware Attackers
The Ponemon Institute estimates that 38% of public-sector entities will suffer a ransomware attack this year, up from 31% last year and 13% in 2016. Attackers have hit government organizations large and small. Rockport, Maine suffered an attack in April 2018, with the attacker demanding $1,200 in payment to unlock the encrypted files. Leeds, Alabama – a suburb of Birmingham – recently paid hackers who encrypted email and personnel records, while Montgomery County, Alabama paid a ransom of $47,000 to decrypt files. The St. Louis Public Library declined to pay a ransomware demand of $25,000, instead spending almost $200,000 on cybersecurity upgrades.
One of the largest public-sector hacks targeted the City of Atlanta. More than a third of Atlanta’s 424 necessary programs were knocked offline or partially disabled. The City Attorney’s office lost 71 of 76 computers and 10 years’ worth of data including police dash cam recordings.
Attackers demanded $51,000 in ransom, but Atlanta declined – the city has spent over $10 million in remediation as a result. The attack was the result of a SamSam ransomware outbreak, which Secureworks reports is usually the result of large-scale phishing or web exploit attacks.
Next Generation of Ransomware – The Future of Cybercrime
WannaCry and NotPetya made front page news in 2017, and the trend is likely to continue as cyber criminals look for the next big payday. Attackers are now tailoring their attacks for maximum damage, performing reconnaissance to identify vulnerable organizations and customizing attacks to cause maximum damage.
Ransomware-as-a-service offerings like GandCrab and DataKeeper now are offering an affiliate model and daily patching and bug fixes to keep ahead of antivirus. WannaCry and NotPetya caused so much damage due to their use of the EternalBlue vulnerability and widespread targeting. These new attacks are increasing in technical complexity and are built to cause maximum damage – making an infection even more costly for the victim.
How Preventing Ransomware through Effective Patching Can Save You Millions
While we can never fully eliminate cybersecurity risk, one important first step to remediate the largest cybersecurity risk is to patch known vulnerabilities. One recent report found that 90% of organizations recorded exploits for vulnerabilities that were three or more years old. Known vulnerabilities in Microsoft Windows, as well as those in applications like Java and Acrobat Reader, account for 44 percent of security breaches. The straightforward way to remediate this threat is to implement a patching program. Patching may sometimes be difficult, but the alternative leaves companies open to attacks that can cost hundreds of millions of dollars.
Vulnerability management and patching are critical elements of an IT security program designed to regularly detect vulnerabilities and apply patches in a risk-based manner. Too often, organizations do not have priority-based schedule for how quickly or which order they manage patching systems. Instead choosing to patch on a 30, 60, or 90 schedule, when they have time or when it is convenient for the business.
By implementing a risk-based strategy, the most critical vulnerabilities on the most important systems will be patch first. Many organizations use CVSS Scores to rank the importance of individual vulnerabilities and how important they are to patch.
WSJ Pro Cybersecurity’s Adam Jonofsky recently summed up this problem in a story for Journal Reports. “Several companies have suffered more than $100 million in lost revenue over the past year due to a common and frequently overlooked cybersecurity issue: outdated software.” With new vulnerabilities being discovered every day, it is more important than ever for companies to consistently scan for vulnerabilities, to score the threat of those vulnerabilities, and immediate patch those that pose the most significant threat. IT security leaders agree that you will never be 100% perfect when it comes to patching, however, eliminating threats like NonPetya, WannaCry and others is critical and having a risk-based threat and vulnerability management process in place will be effective.
June 8, 2018