WannaCry: A Global Wave of Ransomware

In May this year, the world witnessed the largest ransomware outbreak in history, with over 250,000 computers in over 150 countries being held to ransom by the WannaCry ransomware worm. WannaCry’s exploitation of the vulnerability in the Windows Server Message Block (SMB) protocol affected public and private sector organisations including Britain’s National Health Service and global companies such as FedEx, Renault, Nissan, Hitachi and Telefónica.

The outbreak of the WannaCry ransomware resulted in significant consequences: hundreds and thousands of computers became instantly unusable, causing hospital appointments to be cancelled, lives were endangered, transport links were suspended, employees were sent home and business operations drew to a halt. Although the ransomware outbreak caused significant disruption across the globe, it was evidenced that the cyber criminals only managed to get away with £105,000 worth of bitcoins in pay-outs; a paltry sum of money for such a wide-scale attack. Since the attack the bitcoins have been moved – likely by the criminals, one by one, to new wallets, awaiting further action and eventually cash out.

But what has changed since WannaCry and what lessons have we learnt?

Although Cyber-attacks are not unusual by modern standards, the local impacts of WannaCry truly opened the eyes of the public to the potential of large scale malware attacks. Previous ransomware families such as Locky have had similar effects in terms of disruption, but WannaCry and its consequences have now forced the issue of Information Security and Information Assurance into the spotlight more than ever before.  And now since May, a successor called Petya (and derivations thereof) has been circulating, causing additional real-world damage as well as ‘logical’ damage to systems.  Ransomware has ‘come of age’ in the international consciousness, yet many organisations are simply not doing enough to safeguard themselves from this often untargeted, unforgiving and relentless threat.

Holistic Cyber Security

The ‘WannaCry’ attack highlighted the level of global interconnectivity, with over 150 countries being affected. It also brought into sharp focus the fact that end-to-end encryption and the Internet make it an almost impossible task to keep everything under effective surveillance. Implementing the principles of holistic Cyber Security is essential to businesses; these include effective training and understanding for situational awareness, better nuanced risk appetites, and secure intelligence sharing on an international basis. It is paramount that whilst Brexit may mean changes to the physical border of the United Kingdom, it should not disrupt the ability to share critical information in a secure and dynamic manner, particularly in light of the evolving international component of malicious threats.

Eventbrite - UK-NL Cyber Security Showcase 2017

Derailment: how to stop malicious insiders?

It took twenty years for Robert Hansen to be discovered when he was doing his final dead drop. He left important intelligence under a bridge for the Russians to pick it up. No doubt he was one of the most highly capable double spies in US history. He had been spying for three different Soviet and Russian intelligence agencies in the 80s and 90s when working in counterintelligence for the FBI. At one point he even lead the investigation against himself when the FBI got suspicious of a mole.  Hanssen was also one of the first ‘moles’ or ‘insiders’ who used some basic hacking techniques to attain information from the FBI computers. He caused unprecedented damage to the FBI, its operations and its people. Before his arrest, the FBI’s security program was based on trust. Pre-employment screenings were limited and in-employment screenings non-existent. This incident raised the awareness that simply trusting people with such secrets could not be maintained. It required a new vision on managing insider risks.

The internet fundamentally changed the problem of ‘insiders’

If we fast forward to this day and age. Computers are fully intertwined with our lives, and the internet changed insider risks on all levels. This includes our responses to minimize the risk. Part of our world has moved from the physical to online space. The majority of organizations have become totally digitalized and the internet is being used for distribution. We did too, including our behaviours, our work life (working from the cloud) and our private life (FaceBook) and both lives have become intertwined. Access to and availability of information is now heavily facilitated by the internet and all at very high speed. The flip side of this is the increased vulnerability to information leaks. Chelsey Manning and Edward Snowden have demonstrated the vast amount of information that can be taken from even the most secured agencies in the world, but they’ve also been able to have a global reach by distributing this information via the internet at great speed. The impact has, hence, been gigantic.

Insider versus whistle blower

Both Manning and Snowden instigated and even polarized the debate between whistle blowing or being an ‘insider’. To a certain extent this poses the question of who did actually ‘derail’: the person or the organization or even the institute of the government. Their cases pose an important point that, whatever label it has, there is always a responsibility of an organization to uphold strong ethical standards and have proper processes, procedures and care for the employee to promote and uphold a healthy culture of trust. At the same time this organizational ‘health’ and care for the employee means that there needs to be a good understanding of indicators of ‘derailing’ employees. And here’s the good news: people don’t derail instantly. Case upon case have shown it’s a gradual process in which the environment plays its part and, thus, is also part of the solution.

Roads to derailment

Debates about right or wrong, insider or whistle-blower have often clouded similarities between people accused of espionage, theft of intellectual property, sabotage or acts of violence. Perhaps surprisingly, there are clear commonalities in disgruntled individuals in their predispositions, motivation, experiences and interactions with their environment.

Understanding there is a pathway is understanding there are options for prevention, detecting and early response. The “critical pathway to insider violations” (Shaw and Sellers) explains there’s a pattern with cumulative risk factors, but also that there’s a role for the environment to mitigate the risk. So why is this important to know?

Solutions require a comprehensive effort in technology, processes but especially people

Depending on risk profile and risk appetite, companies are offering technological solutions to organizations to gain a better understanding of employee online behaviour and to intervene early if employees cross ethnical and organizational boundaries. Nowadays all activity is online and the risks have also moved to the online space. However, the pathway explains this can never be a standalone solution and neither a starting point for a solution. The ‘why’ comes first. Why is such a solution needed? This comes down to first and foremost understanding organizational, system and employee risks. As a consequence proportionate actions can and should be taken to maintain a safe working environment for all. With respect for company culture.

The pathway or road to derailment also indicates the need for comprehensive action. Action and due care towards the employee every step of his/her way: from recruitment towards end of employment or even longer. Actions towards the organization internally include the mentioned risk assessments, policies and controls, detection, incident and response mechanisms, governance and living by the book. Practicing what you preach!

No quick fixes!

There is no one quick fix, but there are good steps to take that will improve organizational strength to manage such risks, both on the technical as well as non-technical side. Digitalization requires a more systematic approach for systems to be built and operated to detect early warning signals. However, we don’t just live and work online, we are still physically present somewhere as well and hopefully interacting too! Often times, your employees are said to be your weakness but let them be your strength in detecting odd, off the mark behaviours. Not even because they could be derailing, but because you care for each other’s wellbeing. When you get to work tomorrow, try to be aware of your colleagues’ personal and professional stressors and what can be done about it!

Eventbrite - UK-NL Cyber Security Showcase 2017