Podcast transcript: What did we learn from WannaCry?

Podcast transcript: What did we learn from WannaCry?

This automatically-generated transcript is taken from the IT Pro Podcast episode ‘What did we learn from WannaCry?. We apologise for any errors.

Adam Shepherd.

Hi, I'm Adam Shepherd.

Connor Jones

And I'm Connor Jones.

Adam

And you're listening to the IT Pro Podcast. This week: WannaCry.

Connor

It's been five years since the world was rocked by the outbreak of one of the most sudden and virulent ransomware infections in modern history. WannaCry was a particularly nasty piece of ransomware that took out a wide range of institutions from private businesses like Renault and FedEx to state institutions like the NHS.

Adam

The outbreak was stopped within days by the quick thinking of security researcher, Marcus Hutchins, but the impact it had was profound and far reaching. The estimated damage of the attack reaches into the billions and many organisations are still recovering from being hit.

Connor

Joining us on the podcast to talk about the fallout from the WannaCry incident, the lessons that have been learned from it, and whether we're likely to see another attack of that scale again, is Professor Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University. Kevin, welcome back to the podcast.

Kevin Curran

Thank you.

Adam

So Kevin, last time, we had you on the show, we were speaking about digital privacy and surveillance in the workplace. This week, we've got a slightly less controversial topic, but one that's no less serious, I think. WannaCry, of course, was a massively devastating incident. How close are we to repairing the damage it caused five years on?

Kevin

What we've seen is, of course, that ransomware has gone nowhere, even with the crypto bubble busting at the moment, but again, because of the de facto way of being able to receive that ransom is through cryptocurrencies, and, of course, that they've moved on even to sometimes away from Bitcoin to Monero and other more anonymous cryptocurrencies, as well, but it remains, I mean, there is increases in the sectors which have been hit, I mean, generally it depends on which report you read, but it's really doubling year on year, really. And we're seeing a move even to small to medium size enterprises, again. There was a hiatus for a while there last year after the Irish government was attacked, for instance, that, that these people who generally ransomware as a service really would refrain from health services, but they've actually gone back on that, and we're seeing an increase in attacks on infrastructure, you know, of course, finance and, but also in healthcare as well. So ransomware is here for the foreseeable future. And, you know, anecdotally, whenever I talk to CISOs, and all that, that they will quite often tell me about, about their networks being compromised in the last year or so. So it really remains to be a large problem.

Ddam

In your opinion, what were the main contributing factors that led to WannaCry being such a significant incident for really the global business community?

Kevin

It was such a problem, because we hadn't really any frameworks in place, not that there is an overriding framework, but we do know, we do have best practice recommendations for how to avoid ransomware, how to respond to it and how to recover from it. But a number of years ago, we didn't really have any mature capabilities, again, that of course, we've had frameworks which, you know, that enable us to setup, as best we can, best practice but it's only now that really two factor authentication, hardware keys, things like these, which do make make us more secure are now being rolled out kind of de facto. Before that it was only people perhaps in security, or people, you know, accessing sensitive documents. In other words, it was a small sector, which were really using these hardened down approaches, where most businesses would have been running Remote Desktop, for instance, might not be using multi factor authentication and didn't have any plans for how to recover as such, any incident plans really. So a lot of small businesses were just hammered by this really. Of course, backups are essential really, but it's simpler when a when you're talking about maybe someone's laptop or documents but enterprises again with all the mishmash of tools and software and devices and people and you know, remote access as well, that a system is not easily, you just can't just backup a complete system across databases, maybe in cloud and hybrid and whatever else and just have it back up and running in the morning, you have to take, you know, a structured approach to it really and know your assets for instance and have them all you know, ready for... Well, first of all, have them all backed up but have a plan in place to be able to get your infrastructure back again. And unfortunately, when this happened, really people, your average enterprise was not ready and not expecting something like this, which would basically encrypt all the network, all the computers.

Connor

So it's interesting you say about backups not being easy and sort of it sort of being more more difficult and less sort of well known back then. Is there anything in the past few years that have made backups and recovering from these kinds of attacks easier for the smaller guys to implement? Or is it just sort of like, a case of the knowledge is there now that this is what you need to be doing?

Kevin

Yeah, I mean, there are automated tools. Again, you know, you can have, you know, in fact, one of the recommendations is, of course, you have automated patch management of your operating system, of your environments, and also of your software. As such, there are tools which can try to, and that do actually take snapshots of your systems again, and can restore them and again, I mean there's companies which specialise in that, really, that that they, whenever you're attacked, that they'll get your system up and running. I did a court case last year as an expert witness where a company who who had been paid for managing services of an enterprise really, and then the ransomware attack happened. And it turns out that they didn't have backups of key crucial databases. So then it came down to the requirements scope, and that's where I had to go because they said they would do X, Y, and Z but, but of course, it was left vague, that the company hadn't disclosed, you know, for whatever, you know, just simply forgot that they also had this database stored here, and it was accessing this here. And that wasn't part of the, of the remit of the company who was supposed to be protecting them. So hence, when the ransomware attack happened, they could only get a percentage of their system back really, because there was just a gap in the in the actual assets, which would have been monitored and backed up.

Connor

Sure. Speaking on WannaCry more specifically, then - because obviously, we've talked about backups - is there anything that you think that organisations have learned specifically from the WannaCry attack, they're sort of taken into their incident response plans today, and how they sort of tackle cyber defence?

Kevin

Well obviously deploying the automated patches which happen, you know, afterwards again, so again, at the time it was Windows XP, or Windows 7, really, but, of course, Microsoft addressed it, addressed the actual issue, which led to the bug there, which was in the Server Message Block. Again, so that vulnerability had been fixed again, but of course, we don't know about the other zero days. And again, like the number one attack vector really is phishing, is how they're getting in really. And vulnerabilities and remote desktop protocol and Active Directory are common ways again, these common attack vectors that these groups use to be able to make it in. So again, we just got to be aware of that and have automated tools, which hopefully can scan a network and even spot zero days, depending on your baseline. But again, we're increasingly relying on AI in some ways, again, because networks have become so complex whenever you go across and go above a number of employees really and it's hard to monitor every single thing on the network. If, if you fire up something like Wireshark on your computer, which sniffs the packets on your network, mostly wireless, you'd be surprised to see how many requests are going out of just one PC or one laptop in in it in a few minutes. I mean, you have printers pooling, who's there, are you listening, you got the network itself, obviously, firing off packets, you have Dropbox in the background, you have Outlook, you have all these, again, all these, all this software, all these devices communicating across networks again, and then we start adding in our doorbells and our Wi Fi kettles and our phones and everything else, and you quickly get to a large, large number of packets going across even a home network again, so therefore you've got to analyse again. So where would you start if you're doing this manually, and wherever you spot the anomalies again? So there is software again, but of course not, the problem is a lot of small to medium sized enterprises don't really have the budget for a lot of the software, they don't really have the staff to run it. And then of course, you have, again, they do their risk assessment and to try to figure out well, is it worth it or not here? And there is no there is no rule of thumb really, there is no like how much should be spent on security and then where does security get mixed up with IT support and IT services again, so a lot of things get left.

Adam

Yeah, and while there are a huge variety of kind of software tools and services that can be used to to augment your security as a business and to help kind of detect and prevent threats, it feels like certainly back in 2017 when WannaCry hit, a large part of the problem was that organisations were neglecting the basics. I mean, you mentioned that the the main exploit that WannaCry used, or one of the main exploits was a problem in the SMB, the SMB kind of infrastructure in Windows, Server Message Block. And that was patched. But the problem was that a lot of organisations just hadn't applied the patch. And still to this, you know, to this day, there are a not insignificant number of computers out in the wild, that have not updated with that patch, even, you know, five plus years on. Have organisations on the whole kind of recognised the value post WannaCry of applying patches in a timely manner? Or is that still falling through the cracks to a greater or lesser extent?

Kevin

Again, it comes down to the resources of the company again, so, you know, we have matured as a society with regards, you know, with anything you know, so I've seen the maturity from years ago, where people didn't realise the importance of strong passwords, where now really everyone gets that, you know, we mature technologically as a society again. So, again, people are not, you know, it was very few people use hardware keys, you know, as a multi factor authentication token before, but whereas it's actually great practice to have it again, so we're seeing things gradually get there again. So, of course, most accounts now, which are important, people need to understand the need for multi factor authentication. And again, that there are services or even, you know, Microsofts or whatever will come along, and, you know, it's important to monitor your Active Directory to identify and fix any misconfigurations in there again, and, and also training of staff again, so there is, there is a need for user training again. So, of course, the people often are the weakest link, we say, again, so we don't train staff and how to spot phishing emails again. So it's, it's a different depends on tech savvy you are, because there is no, you just get a feeling for what is a phishing message. And everyone's seen that and, of course, then business email compromise is becoming the number one attack vector really, because it's the low hanging fruit again, so it doesn't require too much for people to be able to get people to click on something and install it, and then have the backdoor in again. So it's still user education is very important again, but you got to have regular audits of your equipment, see, you know, we talk about data classification as well, you know, least privilege, that's one of the key things in security; don't give people access to anything more than they need to do their job again. So it's the first. And of course, if we're giving people access to anything that you know, and then they're compromised again, so they move right across the network, as well. So we have to have all these things in place, but it's hard to manage every item because people now are bringing devices to work and such. So even though the the IT management and the CSO and his team might have locked down all the PCs and have it done so that no one's running admin and ran all the software, but then someone brings in their, their Windows XP laptop, and they put the database on there, or whatever else they're logging in. So it's very hard, with bring your own devices, you know, with that type of technology, again, to be able to monitor everything. And unfortunately, I've seen this increasingly, I've seen it in my own workplaces where the IT department locked down everything, and makes it almost impossible to do anything with the actual, with the supplied laptop you have or device, it's what people do just go to their own laptops and use a Wi-Fi and avoid what the actual security team have put in place really because it's too restrictive. Because, you know, really, you can say, well, there is a phone, how do I make a secure, my phone? Well, first of all, don't turn it on. But even then maybe the mike's on, you know, there's all these weird espionage things. So really, all I can do is take that phone and burn it to be sure that no one is accessing anything on there. And that's fine. But you know what, the phone is now useless to me. But I have made it secure and that's what a lot of IT company or a lot of a lot of companies are facing where the IT department again, the CSO's the first to get fired when it gets to the hack really. So again, they'll just do what they say is whatever, but you have to have a copy, you have to have kind of leeway between the security team which might try to bolt down everything, but we have to get our jobs done to, and there's a trade off again, otherwise we'd never cross the road or get into a car. But there has to be an acceptable level of risk somewhere again, but training is part of that.

Adam

I mean, you mentioned kind of user training and strong passwords, multi factor authentication, all of this kind of best practice stuff. That is all really important and really valuable for companies to be implementing and to be aware of, but looking at flaws like WannaCry, WannaCry wasn't spread through phishing, or through kind of email compromise or anything like that; it was wormable. Right? It didn't require any user interaction, that's part of how it spread so quickly is that it could just kind of automatically and instantly go from one computer on a network to another, to another, to another, to another to another. How do you combat that, as an IT team through stuff like user training and best practices? Is it just a case of making sure that you're on top of kind of newly emerging zero days and things like that? Or are there other measures that can be implemented to prevent attacks like this?

Kevin

Yeah, I mean, first of all, you have to know your assets and what you're protecting, and then have the multi factor authentication in but you have to make sure that all your systems are patched and fully up to date. And then you want to have anti malware, anti spyware, you want to have real time analysis of the networks, again, you know, because they will be patched or they will be getting the updates from the Ciscos of this world or whoever else you actually hire services from, then you got to train your workforce to be able to recognise social engineering attacks again so that's part of it, but you have to run a large security awareness programme, as well as the IT department, making sure that things are are locked down, that people are using unique passwords and the firewall even, for instance, I was talking to a CSO today of a council here in Northern Ireland, and they were attacked by ransomware on the day before, Thursday before Easter. And they found out that the company they'd hired to literally do the firewalls for them had really nothing there in place. So now they did the simple thing, because it's a council website. And it's very important for the whole area here. But they simply made it non accessible outside the UK. And why? Because, okay, maybe someone's abroad? And they want to find out about the bins, but no, no, that's a simple way to do it. Just make it, use geolocation in that respect again, and maybe try to limit how many people come, but that doesn't work in all cases, in most sites, you want everyone around the world to see it, but you have to have people in charge as well. And what happens when the ransomware occurs as well, you know, is there a person, a designated person to be able to manage an incident handling or if you have a third party, which depending on how big you are, you might have BAE Systems coming in or you know, the big boys coming in and doing an analysis of it. But again, you have to someone designated to be able to handle that and do the reports and bring the system back on and looking at all the audit logs as well and be able to see where it came from. Because even though most ransomware is wormable, but most of it does come from, you know, someone clicking on something at the start again, but sometimes you can have the ways to be able to contain that as such.

Connor

So obviously, WannaCry was, it certainly wasn't the first ransomware incident in cybersecurity history. However, it probably did mark sort of, you know, it kind of catalysed this big trend that's not really, like you said before, it hasn't really sort of ceased in the past five years. And obviously, everything's evolved since then. But one thing we do know is that businesses and organisations are starting to develop and sort of turn to these incident playbooks, right, so these blueprints on how to respond to an attack like this. So to that end, what role should these incident playbooks have in defending against ransomware?

Kevin

It's good to have a framework, at all times again, so with ransomware we're of course trying to protect against in the first place, identify when it comes and then also recover from it as well. But we do I mean, there's so many like, you know, NIST standards, National Institute of Standards Technology in the United States have some of the key frameworks that we follow when it comes to best practice and best cyber hygiene and cybersecurity again, so, all of these things are very useful again, so, and we you know, we have to just kind of, you kind of have to presume your network could be taken down again. So, what would you do, you know, so, again, there are there are actually you know, depending on how risky it is to any of your things, you can have anything from containers in your car park which drive in on trucks which they do occur, where you have a replica of your network, again, which has already been done before, but again, not many SMEs would be able to do that or, raise to that level again, and it's becoming a little bit increasingly more difficult as well. Where with the rise of the rise of cloud and hybrid environments as well, where you've lots of stuff now, even not even hosted in on premises again, but we just have to presume that we can identify it again and hopefully, just just be prepared.

Adam

So let's look at the criminal community and how they've been affected by the WannaCry incident and the ongoing fallout from it, the way it's changed the security landscape. Are there any lessons, do you think, that the wider kind of criminal hacking community have taken away from both WannaCry and the global response to it that's informed how they conduct their operations?

Kevin

It's it Yeah, it's hard, like, we can only speculate because most of these, again, are coming from the Russias of this world, the Belaruses, Iran, North Korea again. So, again, this is notoriously, you know, that seems to be where they, you know, what they're looking for from these countries as well. But the problem is, of course, the cryptocurrencies, again, they don't want to be too successful, we found that with the, with the some of the larger attacks again, the Colonial Pipeline against the United States, and the, the, the Irish hospital system, which was brought to its knees again, so you'd want to be too successful, because then the authorities will come after you as well. So, of course, one lesson a lot of people have found is that Bitcoin isn't the anonymous cryptocurrency as many people thought it was; it was just quite good depending on you know, how you do it, and whether you put your, you put it through... what was the word again, your, if you want to be able to launder or wash it...

Connor

Tumbler.

Kevin

Tumblers, yeah, you can put that through your tumbler again, coming up. But there are some network analysis tools, again, depending on how much you have in here, and again, it has to reside in some wallet somewhere. So there are pretty clever people out there who do who do the network analysis on the Bitcoin on the Bitcoin chain, and are able to see where the money goes to again, it's hard to always and again in some ways that we're still even though we think cryptocurrency is decentralised, and solves everything and removes it from the world. But no, you always have to come back out into fiat again, so the Coinbases of this world and wherever else, or Bitstamps or wherever else people store there or use for their transactions again, that the governments are able to go there. And it always come back to some accounts as well. And you're able to see where that goes. But your average cybercriminal who doesn't do anything, or just do something small attacks, even, even in the hundreds of thousands; they're unlikely to call it because police resources, police are swamped nowadays, because everything now, in the past you might have seen the police coming out of the house and carrying items; now they just bring out the devices again, and there's a lot and a chain of evidence has to be intact, and the police forces only have so many forensic experts as well. So the court cases, that's why there's such a backlog of court cases. And that's why because your jurisdictions as well, if someone steals something from you, and you know that they're in Lithuania, or well, you think they are, well, the police are not really going to be able to help you there because of the complexity involved, and the multi jurisdictional part again, but again, just if you really are intent on a life of crime, just don't presume that you won't, that your cryptocurrency won't be, won't lead back to you.

Connor

I think it's interesting, you know, you noted about criminals wanting to be successful but not too successful. I mean, obviously with the likes of REvil and Darkside last year, we saw what can happen when when they when they do get a little bit too big for their boots. But I think one of the most interesting things for me about Wanna Cry was, was the payment system or lack thereof, because they're, in the sort of early stage of the infections, they had a lot of victims actually paying the ransom and then realising that the people who were running the operation didn't actually have a mechanism to determine who actually paid and who didn't. So no one was getting a response back. And, and people just cottoned on to that and people Yeah, stop paying. And then they're just sort of, along with the sort of technical shortcomings like the the so called Kill Switch, it was one of the things that really proved to be its downfall. And one of the things that, it's kind of like underpinned that part of ransomware, that trust relationship where, yes, it's bad to pay a ransomware actor, but you probably are going to get your files back because it's been done before where you don't get them back, and people just stopped paying, right. So I guess what, I guess the question is, what's the most interesting part about WannaCry for you?

Kevin

Yeah, the most important part would be, again, that I do remember the government invested in more in cybersecurity afterwards again, especially in the NHS. Again, like I said, it's always hard to justify to the C suite or whatever else, you know, your your need, because, of course, if the network's not down, but we have to have some kind of targets for how much a company should spend on cybersecurity, how much an organisation should, and the NHS is, is the sixth largest employer in the world, actually.

Adam

Oh, wow.

Kevin

Yeah, we forget how large it is as an organisation again, and you have all the, everything from MRI scanners right down to heart rate monitors and whatever else, and a lot of these were attacked again. So again, just it's kind of prepared us in some ways for for what could happen increasingly in the future given the the geopolitical landscape we're in at the moment, where nations will attack us and, and again, that they do have their their cyber armies again, like, you know, in the past, we're able to tell how big a country's arsenal is by being able to count the number of tanks and planes and make some estimate, again, but it's very hard to tell how big a country's offensive and defensive cyber security teams are. But we're seeing that more and more of the military will actually be wearing will actually probably, you know, will be using laptops, again, because of how much damage we can do just using devices again, and you know, being able to hack national infrastructure again. So I think a lot more will be put into it rather than the traditional things. We're seeing the failure in some ways of tanks and you know, the traditional warfare, but it's good to see to the government because it is crucial. My cousin is a nurse in the Irish government. And she said that the attack on the southern health system from ransomware, last year was, it actually was worse than COVID. In some ways, she said that they couldn't do anything. And they really had to go back to paper and pen.

Adam

Oh wow. I think that's one of the biggest takeaways from WannaCry for me was that, firstly, it really underlined what kind of impact a really serious cyber attack can have on not just an organisation, but on kind of critical infrastructure. You know, we've been talking for years in the wider cybersecurity community about the risk of critical infrastructure attacks. WannaCry, and later Colonial Pipeline, I think were, in some ways, the first real sort of illustrations of how bad it can potentially be. And, you know, that's not even close to as bad as it could potentially get with a more, more serious, more sustained attack. But one of the other real takeaways was, you can't protect everything. Like you mentioned, MRI scanners, a large part of the reason why the NHS was so badly hit is because they use a lot of embedded systems that physically can't be updated, you know, the systems running medical equipment, internally. They, in many cases, they can't physically be patched, you have to buy a new MRI machine, essentially. And there's just no way around that unless manufacturers design, you know, user upgrade functionality into their machines. And in many cases, the manufacturers that make these machines have come and gone in the time since institutions bought them. And it's a really difficult problem to grapple with. And you get the same issue in many cases in manufacturing, and in areas like that they use similar amount of embedded machinery.

Kevin

Exactly, I mean, at least air gapped, I mean, that's always useful but um, yeah, but there is a bit of protection to having a heterogeneous network where you have all different types of devices again, so because usually an attack does usually target, it's usually platform specific, they can morph again but so if you got half of Macs or whatever, you know, a PC somewhere running X number version, you can be protected some degrees once it reaches some kind of system, which is Solaris or Linux or whatever else but but again, then with that, with with having multiple operating systems or in devices to support again, you can have a little bit more complexity there. But again, of course, as we know that the takeaway lesson really from WannaCrywas just patching in a timely manner, that if they had patched you know, there would have been protection really but again, that there are so many devices out there.

Connor

So obviously WannaCry was largely driven by the the leak, the leaked, EternalBlue exploit, the former exploit sort of owned by the NSA. And since then, we've had I mean, arguably, you could you could argue that Colonial Pipeline was sort of on a level with WannaCry, but do you think we could ever see a cyber incident on the same level as WannaCry again? Given that, you know, it was largely driven by this freak leak of a one of a kind exploit?

Kevin

Oh, absolutely. You know, the, you know, we have zero days all the time. And of course, we don't know about most, but they're sold to regimes or used by organised crime syndicates as well. But absolutely, there is so many like, there's, like, no one even understands the code build, there's no one who could possibly be in Seattle in Microsoft who completely understand the entire operating system for Windows, for instance, I mean, we're talking about millions and millions and millions of lines of code developed over 30 years, whatever, you know, with all the, with all the add ons to that, which would happen, and we know that every patch Tuesday just before they do their fixes, you know, I think it was 119 vulnerabilities last month, that they honestly the administrators know what's going to be fixed, what's going to be changed in the coming weeks, you know, because network, IT departments were tearing their hair out at times, but you know, because they get the blame when the Microsoft patch screwed up something so they try to predict this now. But again, that's how many vulnerabilities were last week. So there always be exploits out there, there'll always be zero days, because and of course, we hope that they're not wormable again, but definitely that you know, that these can spread across. And we haven't really seen the nightmare scenario where you know, most of the world's computers or devices. But again, if we see it to the, you know, some of the or security tools have improved. But also, you know, the attacker is not letting up either, again, that we do have great automated tools now, which were able to detect and sometimes stop an active attack again. But I have no doubt that we'll see other, you know, other attacks, which take up to you know, take hundreds of millions of computers, really, especially the ones which are not patched really.

Adam

And how can organisations try and get ahead of this eventuality?

Kevin

They have to implement best practice, which which is general, of course, the best practice kind of covers a host of attacks really, not just ransomware. And that's using multifactor authentication, strong passwords, using being able to identify all the resources on the network, auditing users, only giving them the privileges that they need, enable and disable Remote Desktop Protocol unless you don't use it. Use the appropriate software for scanning, do regular audits of your of your users again, and the software which is on your systems, if you don't use it, remove it again, and then plan for attacks and have desktop exercises as well and then have the strong incident response team. And also, of course, along the way, always educating your employees and users about the dangers of compromise really and what to look out for and have it updated as well. Because once people are trained, they do forget after a number of months again, so make it part of their, you know, their targeted work, you know, for what, because technology has become instrumental in our lives. You know, just a few years ago, there wasn't even an attack about a year and a half ago or two that the Visa network went down for about 24 hours in the United Kingdom. People were stuck without being able to get train tickets, they're not able to buy food, they couldn't get, you know, whatever because the actual Visa, because people increasingly do not carry cash anymore again. So again, what happens at networks when they go down at airports again, we're relying so much on technology again. So again, that there will come a time when we you know, unfortunately, we're going to see more and more infrastructure, and sometimes not even attacks, it's just because someone who you know flicked the wrong switch or else there's a cable a digger has dug up somewhere, again, maybe into a data centre, but we're increasingly reliant on technology. But there will be days in the future where we all are back to paper and pen, you know whenever some systems go down.

Adam

Well, that's it for this week's episode. Our thanks to Ulster University's Kevin Curran for being with us.

Kevin

Thank you.

Connor

You can find links to all the topics we've spoken about today in the show notes and even more on our website at itpro.co.uk.

Adam

You can follow us on social media as well as subscribe to our daily newsletter.

And don't forget to subscribe to the IT Pro Podcast wherever you find your podcasts. And if you're enjoying the show, leave us a rating and review.

Adam

We'll be back next week with more insight from the world of IT but until then, goodbye.

Connor

Bye.

ITPro

ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.