The recent WannaCry ransomware attack may not have generated much money for the shadowy parties behind it, but it brought plenty of business to cybersecurity firm BlackStratus.
It’s not the kind of business the company — whose CyberShark technology is headquartered in Stamford — necessarily welcomes, however.
“Being attacked by ransomware is unfortunately no longer a matter of if, but of when,” said BlackStratus Chief Security Officer Mike Maxwell. “And that’s part of why we’re here — to act swiftly and remediate the problem.”
lthough the people behind WannaCry — identified in some quarters as the North Korea-linked Lazarus Group, believed to have also been behind the 2014 hack of Sony Pictures and the theft of more than $80 million from the Bangladesh Central Bank — made much more in the way of publicity than actual money, their attack of May 12-19 should serve as a wake-up call for businesses big and small, Maxwell said.
Maxwell said a small percentage of people paid the $300 to $600 in Bitcoin cryptocurrency that WannaCry demanded for the return of the use of the victims’ computers, Maxwell said. Many reports put the total paid at around $100,000, though cyber-risk modeling firm Cyence said it could go as high as $4 billion.
In 2016, such schemes caused losses of $1.5 billion, according to market researcher Cybersecurity Ventures. That amount included lost productivity and the cost of conducting forensic investigations and restoration of data, the company said.
As indicated by its name, ransomware is like a kidnapping case. Instead of a person or pet being held hostage for money, however, it is computers running a particular operating system — in this case the Microsoft Windows OS — that are “seized,” using malicious software that blocks access to the victim’s data.
That the amount demanded from each victim was so small — most were for $300 — led some, particularly hospitals whose patient records were at risk, to pay. “They see it as the easiest way out,” Maxwell said, “but a lot of places can’t just pay and move on.”
“You absolutely should not pay,” the BlackStratus security chief said. There are no guarantees that control over one’s computers will be restored or that, as with other cases of hijacking, blackmail and the like, additional and escalating demands will not occur.
“Any amount paid is worth it for them, and rewarding them just encourages them,” said Maxwell.
None of BlackStratus’ approximately 200 global customers were directly affected by the WannaCry attack, he said, which struck more than 230,000 computers in more than 150 countries. Britain’s National Health Service, Spain’s telecommunications firm Telefónica, German railway company Deutsche Bahn and U.S.-based FedEx were among the victims, with Japan and China also reporting high instances of infections.
The tools behind the attacks reportedly belonged to the U.S. National Security Agency.
A critical patch had been issued by Microsoft on March 14, nearly two months before the attack, to remove the underlying vulnerability for supported systems, but many organizations had not yet applied it. Those still running older, unsupported operating systems such as Windows XP and Windows Server 2003 were at particular risk; Maxwell noted that Microsoft took the unusual step of releasing updates for those operating systems after the WannaCry attack.
“We’re active 24/7, 365 days a year,” said Maxwell, “so we were monitoring Europe when it first was detected and were able to act accordingly, issuing alerts to our customers, in many cases before they’d even woken up.”
And waking up is what is needed most.
“The governments of the world should treat this attack as a wake-up call,” warned Microsoft President and Chief Legal Officer Brad Smith. “They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
Smith noted that in February Microsoft called for a new “Digital Geneva Convention” to govern such issues, including a new requirement for governments to report vulnerabilities to vendors, “rather than stockpile, sell, or exploit them.”
Maxwell said that usually proactive IT personnel should increase their vigilance. “Having a service like CyberShark is like having a burglar alarm on your house. It usually works perfectly, but if you’re in an area prone to burglary, even with an alarm you can find your house being broken into.”
He also called for executives to take a more active role in their companies’ cybersecurity efforts.
“The boardroom can’t ignore this anymore,” Maxwell said. “The C-level suite needs to understand the risks and make the proper decisions. It’s very important for management and executives to be aware of what’s going on today and to make sure that they have the right controls in place.”
“We may not be so fortunate next time. And there will be a next time.”