In 2017 the largest ransomware attack in history – WannaCry – swept across the globe, infecting a quarter million machines in more than 150 countries. In the UK, the NHS was hit particularly hard, with a third of trusts impacted, 19,000 appointments cancelled, and a total cost of £190 million.
The attack took advantage of a critical vulnerability in Microsoft systems, meaning that any organisation who had not patched that specific vulnerability were at risk. The UK and US governments formally blamed North Korea, making the attack one of the earliest examples of state sponsored cyber warfare. In the intervening years, this has become much more commonplace – most recently tied to the Russia-Ukraine conflict.
WannaCry drew attention to the importance of patching vulnerabilities as quickly as possible, with an increased number of organisations making an effort to keep their software up to date. However, ransomware attacks have only increased since 2017, and it is now a matter of when, not if, organisations will be targeted. So what lessons can be drawn from the attack, and how can businesses keep their systems secure?
Mastering the basics
Some security advice seems obvious, but WannaCry was a stark lesson that too many organisations neglect the basics. Complicated and expensive defence systems will be of limited use if the simple steps are not first taken.
Steve Young, UKI Sales Engineering Director at Commvault, explains: “It is important that legacy solutions are modernised – ensure that your platforms are regularly updated and adopt new capabilities to avoid gaps and vulnerabilities appearing.”
Neil Jones, Director of Cybersecurity Evangelism at Egnyte, argues that education needs to remain a priority. He believes that security teams need to “educate executive management about ransomware’s impact”, and also “perform cybersecurity awareness training, which should include implementing effective data protection policies like strong password protection and multi-factor authentication. It’s also critical that users understand any company can be a potential victim, regardless of size or location.”
“Effective phishing education and communication are vital,” agrees Ian Pitt, CIO at Progress. “At least two rapid-fire rounds of education followed by frequent refreshers are recommended to promote phishing scam reporting. Establishing a company-wide channel to instant message the entire organisation enables urgent contact.”
Samantha Humphries, Head of Security Strategy EMEA at Exabeam, believes that businesses need to understand that “cybersecurity is not a ‘tick box exercise”.Too many organisations still have this mindset that sees them scrimp on the fundamentals of cyber hygiene.
“Everything starts with having visibility across your systems. Put simply, if you don’t know what you’ve got, you’re not going to be able to protect it. This insight will help to provide teams with a clear understanding of user accounts’ and devices’ normal behaviours, enabling them to spot anomalies more easily when they happen – and they will.”
Implement a proactive, multi-layered defence
Whilst ransomware attacks have only grown in sophistication since 2017, luckily, ransomware defence has kept apace. Organisations should therefore take advantage of these advances and proactively implement the latest technologies.
“Despite the increased awareness to patch regularly since WannaCry, new risks are constantly emerging. Zero-day vulnerabilities do not have patches available and can evade detection from anti-virus tools for as many as 18 days after they are exploited.” explains Paul Farrington, Chief Product Officer at Glasswall.
“Delivered at scale, zero-day threats have the potential to become a significant problem for organisations that are not taking a proactive approach to cybersecurity. File sanitisation technologies, like Content Disarm and Reconstruction (CDR), provide protection that doesn’t wait for detection. This is especially important with the growth of file-based threats, which rose by 5.7% between 2020 and 2021, and with continued growth expected in 2022.“
Pitt adds, “Multi-factor authentication and Zero Trust deployment ensure that valuable data is secured, and the entire tech ecosystem, including partners and customers, is kept secure. Investing in network flow monitoring and a user behavioural analysis solution ensures the network is continually monitored for potential breaches and security pros can detect suspicious behaviour more easily.”
When the worst happens
No matter how many layers of defence your organisation has, the truth of the matter is that there is still always a possibility an attacker will break through. True ransomware defence must therefore include preparation for the worst, in order to minimise the disruption caused.
Young argues that “we cannot totally depend on reactive security solutions for protection. We must prepare for the worst and ensure that, should cybercriminals manage to slip through, our systems can get back up and running as quickly as possible. Backup and disaster recovery, therefore, are imperative parts of a robust cybersecurity defence. A fast Recovery Time Objective (RTO) ensures that applications can quickly get back to running mode, reducing lost profits and any negative impact on brand reputation.”
Terry Storrar, MD at Leaseweb UK, concludes: “Security and business continuity teams need to work hand in glove to ensure that data is recoverable, so that operations can be efficiently resumed in the event of a ransomware attack.
“Investing in disaster recovery strategies that will protect an organisation from the effects of significant negative events and enable the fast resumption of mission-critical functions is the key to enabling business continuity. And planning to maintain business continuity is now a top goal for organisations that want to ensure they can access their apps, data and operating systems no matter what.”