What can we learn from WannaCry?
On Friday, May 12th, 2017, an unknown group of hackers unleashed the now infamous WanaCrypt0r 2.0 against government agencies, companies, and individuals worldwide. When the dust settled over 200,000 systems had been infected, and many victims lost their files forever. WannaCry did not take weeks, or even days, to spread. The damage was done in mere hours. At the time of this writing, the authors of this ransomware had made just over $126,000 - a complete failure compared to lesser known attacks that have grossed millions.
In his 1905 book, Reason in Common Sense, George Santayano stated, "Those who cannot remember the past are condemned to repeat it." The media, and society in general, has moved on from WannaCry, but we need to take a few minutes to reflect and learn from it. Fortunately, this particular crime-ware did not affect Lucas Systems or its customers, but there is always another attack just over the horizon. There are numerous possible takeaways from this, but two major ones cannot be ignored.
Updates WannaCry exploited a known, highly-publicized vulnerability in the operating system. Every victim of this attack had something in common: they had not installed the patch Microsoft released two months prior. Let that fact sink in for a minute! One of the most prolific ransomware attacks in history could have been prevented if users had installed a patch at any point in a two month period.
PCI-DSS requires you to apply critical patches within thirty days of release, and this outbreak illustrates why. Every time a critical update is released, hackers work tirelessly to reverse engineer it. Sometimes they strike proverbial gold and develop a means to exploit it, but the majority of the time they cannot. In this case, the National Security Agency found the vulnerability, and the public release of the Eternal Blue exploit made their job simple.
Backups We know that over 200,000 systems were infected by WannaCry, and we also know that relatively few people paid to have their files decrypted. We can separate all of these systems into two groups: those who had backups, and those who did not. It was a definitely a rough day for both, but the group with backups recovered.
Lucas Systems backs up key sales, labor, and inventory data to off-site servers every night. As a best practice, If you have files you consider critical to the success of your business, you need to routinely back them up. This can be as simple as putting them on a flash drive and keeping them somewhere safe, and you have a variety of options, from hardware appliances to automated cloud backups. Regardless of the method you choose, you should test the system periodically to verify it works as expected. Backups are a key part of a disaster recovery plan and are also a part of the PCI-DSS requirements.