The current editorial focus surrounding WannaCry is on the technological vulnerabilities which allowed the ransomware to breach so many devices and systems, but the fact that the attack most probably entered into organisations via a phishing attack on end users is also very important to consider.
Friday 12 May will live long in the memory of cyber security professionals. That was the date that computer screens across the world began to flash scarlet with an ominous message: “Ooops, your files have been encrypted.”
The following days brought misery for hundreds of thousands of organisations globally including many in the NHS, impeding patient care and inconveniencing countless customers and employees.
The WannaCry ransomware attack has left industry practitioners with much to think about. Not least, how to transform your employees from a corporate cybersecurity risk to an alert and solid barrier to online threats.
Considering the damage this attack campaign managed to wreak, it was certainly aptly named. Also known as WannaCrypt, WanaCrypt0r 2.0, and Wanna Decryptor, it seemed to strike at will, locking down PCs and servers in organisations as diverse as Nissan, Telefonica and even the Russian Interior Ministry.
In reality, it only affected firms which had failed to patch a known vulnerability in Windows (MS17-010). WannaCry used the NSA’s own EternalBlue exploit – recently released by hackers – to spread worm-like inside infected organisations and outwards across port 445 to other IT systems also running vulnerable installations of the Windows Server Message Block (SMB) file sharing protocol.
Europol boss Rob Wainwright claimed shortly after it struck that WannaCry had affected 200,000 targets in 150 countries, including over 60 NHS organisations. Whatever the target, it locked users out of their machines while IT teams struggled to protect key data. The cost to those organisations hit by the ransomware is almost incalculable.
Some may have been fortunate to store back-ups of their mission critical data offline, but there still remains the long and costly process of clean-up, remediation and restore. In the meantime, staff downtime and service outages continue, which in the case of the NHS, means cancelled operations, patient treatments and other vital appointments.
The best guess for how WannaCry gained an initial foothold on targeted systems is through unsolicited phishing emails which tricked users into clicking through, kick-starting the initial malware download. If that’s true, this outbreak has elevated effective user education and awareness training to an issue of critical importance.
Phishing has been around for years but today is more popular than ever before. Many attacks are designed to trick users into handing over personal and financial details which can then be monetised by the hackers on darknet forums.
However, increasingly they’re combined with malicious links and/or attachments with a view to downloading malware onto the victim’s machine. In fact, malware infection accounted for over a quarter (27%) of phishing attacks spotted last year, according to Wombat’s State of the Phish 2017 report.
The Anti Phishing Working Group (APWG) saw just 1,609 phishing attacks each month in Q4 2004 versus a staggering 92,564 per month on average in Q4 2016, an increase of 5,753% over 12 years. And Wombat Security has learned that the APWG doesn’t include ransomware attacks like Wannacry in their phishing statistics, which in its opinion significantly underestimates the actual volume of phishing emails.
This shows the sheer scale of the challenge facing IT departments in turning their staff into a strong line of defence. Yes, technology solutions can help to mitigate the threat. But with phishing click rates as high as 30% in some sectors, according to Wombat data, end users are very much the weakest link in many organisations.
This all makes user education and training vital. The good news is that 92% of organisations claim they run such programmes, up from 86% two years previously, according to our data. However, as WannaCry and numerous other ransomware and cyberattack campaigns have shown, they aren’t always effective. With targeted spear phishing – which hit 61% of firms we spoke to last year – end users have to be more diligent than ever to recognise, avoid, and report attacks.
So what approaches work best? Effective training and awareness programmes must start with some form of baselining to see how susceptible employees are to phishing – something 33% of UK and US firms still weren’t doing last year. Then it’s all about choosing the right kind of curriculum.
Programs which include the simulation of real world attacks, and in-depth, yet brief, computer based training modules are most useful as they can help evaluate and educate staff without exposing the organisation to unnecessary risk.