Impact of WannaCry: Major disruption as organisations go back to work

15 May 2017

Image: Jaruwan Jaiyangyuen/Shutterstock

The real damage caused by the nightmare that is the WannaCry malware is becoming clearer in the cold light of day. Its impact will be felt for a long time to come.

The effects of the devastating WannaCry cyberattack – believed to be a rogue cyber weapon stolen from the NSA – are only beginning to be understood. So far, it has now spread to 150 countries worldwide.

The attack grew over the weekend from 45,000 victim systems to an estimated 200,000, crippling large organisations from the NHS in the UK to Renault factories in France, Telefónica in Spain as well as Russia’s second largest mobile operator, MegaFon.

‘Do not pay ransomware ransom – unless there is a threat to life. Doing so fuels the ransomware economy, funding development of additional ransomware techniques and campaigns’
– PAT MORAN

The impact of the cyberattack in Ireland is still being estimated but this morning, as HSE staff return to work, the Government has advised workers that when they switch on their machines, they must not log in for the first two hours, in order to let antivirus software do its work.

The fact that so many organisations have fallen victim to the attack raises questions over just how robust their systems were, in terms of basic antivirus and security patch measures, but also why so many organisations were running dated versions of Windows, such as Windows XP, which Microsoft no longer supports.

The malware, known as WannaCry or WanaCrypt0r 2.0, manifests itself on vulnerable Windows computers.

On Friday, it knocked out computer systems at 16 NHS hospitals, blocking access to files by encryption unless a ransom starting at $300 was paid in bitcoin, subsequently rising to $600.

The malware attack was briefly stopped in its tracks on Saturday when a quick-thinking security researcher called Darien Huss identified an obscure domain name in the malware’s code and bought the domain.

However, this may have just been a temporary reprieve as the hackers behind the attack could easily just change the domain and rerelease the malware.

The chilling reality is that WannaCry is just one example of what a cyber weapon – believed to have been created by the NSA using American taxpayers’ money – could actually do.

Last year, a group calling itself the Shadow Brokers began posting software tools that came from the NSA’s arsenal.

WannaCry is also an eerie reminder of when the Stuxnet worm – a cyber weapon jointly created by the US and Israel to target Iranian nuclear facilities – went rogue several years ago and began attacking the systems of vital utility companies across the world.

Do not pay up

Despite the vast spread of WannaCry, it is believed that the perpetrators have only raised around $20,000 in payments so far, and have yet to actually withdraw the payments; no easy feat as many eyes will be on the transactions in order to trace the attackers.

Precisely how the malware is spreading is still open to debate but the consensus appears that it is a phishing attack, whereby people are being manipulated with an email to click on seemingly innocuous links that expose their organisations to the virus.

Businesses are being advised to make sure all their systems are up to date, as they should have been before the attack began.

“Executives should ensure that desktop and server IT operations teams are provided with all the support they need to rapidly deploy Microsoft’s April and May critical security updates, along with March’s MS17-010 security update,” said Pat Moran, PwC cyber leader.

“They should also understand that IT operations teams, on the recommendation of their security team, may need to cause temporary disruption to some services on IT estates as additional controls are implemented and vulnerable services disabled.”

He urged companies not to give into the hackers: “Do not pay ransomware ransom – unless there is a threat to life. Doing so fuels the ransomware economy, funding development of additional ransomware techniques and campaigns.”

Moran’s colleague Leonard McAuliffe, director of PwC’s cyber practice, said that IT teams have a lot of work on their hands.

“Ensure your IT teams have taken action to – or develop plans including to – disable the use of the SMBv1 network file-sharing protocol across the entirety of your IT estate; disable the ability to execute unsigned macros in Office documents, using group policy settings (and sign legitimate macros from your own organisation); ensure two-factor authentication is in place for all external access to systems (such as VPN and RDP); and identify and prevent all systems without the MS17-010 security update from connecting to core corporate networks, and segment guest networks from all ability to access core corporate networks.”

The Irish Government said that the National Cyber Security Centre at the Department of Communications is monitoring the situation, and that the impact on Irish organisations has been minimal so far.

But that could change.

“The general advice to everyone, both business and private users, is to upgrade antivirus software as soon as possible, and, if not already in place, to institute a regular programme of back-ups,” the Government said in a statement.

“Following the attacks on the NHS on Friday, which limited the delivery of many of services in the UK, the HSE has been working over the weekend in order to prevent its network from being compromised.

“As staff go back to work tomorrow, the HSE is advising all of its staff to ‘turn on’ their computers but ‘do not log in’ for a full two hours.

“This will allow the antivirus capability to become active, while still allowing the network will remain protected.

“Each health building will have an IT representative to provide assistance in the morning. There is also a dedicated help-desk function in place for dealing with this crisis. An important message for all computer users is ‘think before you click’,” the Government advised.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com