WannaCry: A Refreshing Attack

Written by

Don't cry over spilled milk, in fact maybe it will teach you to hold the carton tighter. A lesson well learned. This is why, despite the harsh headlines WannaCry makes me smile.

If I was a white hat specialist intending to teach the public a massive lesson (for a greater benefit), this would have been the perfect approach: $300 is just enough to get attention and make a point without inflicting financial damage. I also would have donated the 50k to cyber-education, but that's beside the fact. Many are reporting this breach in an absolutely frightening manner. Scary? Sure, anything that affects the masses is disturbing. I see it entirely differently. With the exception of the few organizations that were greatly affected, dare I say, this was a great breach! Here’s why.

The tone of reporting on this breach has been one of shock and doom-and-gloom. However there are a number of very positive points that are being overshadowed. For one, despite the low demand of $300, a small percent of those infected actually paid the demand.

There are a number of potential reasons for this such as the discovery of the killswitch and sharing of decryption codes, but the main thing we can hypothesize from this statistic is, companies are employing regular backups. For companies to be unwilling to shell out $300, indicates both a lack of intimidation and a sense of security with your own controls.

This is great news. Frequent and regular backups are the single most effective security measure against such attacks. On another positive front, this breach has resulted in somewhat of a mass awakening to cyber-threats (and importance of security) among the general public. Those that were not treating backups, encryption or system updates seriously have heard the message loud and clear.

The topics of backups and encryption are seeping into every day conversations – a change in tone for sure. So in some ways (although it may be wishful thinking) this may deal a blow to ransom attacks, and even cyber-attacks in general. About as good of a response as a security specialist could hope for post-breach.

Lastly, it is largely expected that this breach will act as a catalyst to fuel adoption of cyber-insurance in the small and mid sized-business community. This is good news for the insurers as well as the companies purchasing the cyber-insurance, as many smaller companies do in fact need a small push when it comes to purchasing such coverage.

A recent case of an affected law firm only able to collect 25k of a 700k loss highlights this point well. That said, it’s extremely likely that, with such a low demand of $300, any cybersecurity policy would have been initially unresponsive. That is unless the resulting lost income was more significant or the demand ballooned to a greater amount, at which point, depending on the sublimit, the coverage may have stopped responding altogether.

With all of the positives addressed, the main fear that has bloomed from this breach is a fear over the future of ransomware, and just how damaging it may evolve to become. Demands have long been expected to rise, but we didn’t see that here – for reasons we can only speculate. Either way, the demands will rise eventually.

It’s not larger demands that I fear most. As is the nature of malicious code, ransomware will only get smarter. What might that look like? This code was rather unintelligent, but as ransomware becomes smarter, it may come with the intelligence to discern between the value and quantity of data in its possession which could pose a real danger.

Imagine a “conscious” ransomware – one that was aware it was in possession of hundreds of thousands of medical records, and could set an appropriate ransom demand. Or, equally frightening, ransomware with an ability to infect, lay dormant, prevent backups and launch a future demand. A recent survey by AIG indicates that most IT professionals believe blanket coordinated attacks are on the near horizon. Attacks that could simultaneously affect tens to hundreds of victims in a particular industry – likely through vulnerabilities contained within software of a common nexus.

Combine that coordinated approach with an attack like this, and it could spell disaster in more ways than one. Not to mention it would also likely cause surges in insurance premiums on those affected industries.

The larger point to be made here though, is, despite the low demand and unintelligent nature which may communicate a false sense of security to the public, it’s important to remember the way these attacks may evolve and improve, and just how damaging they can be.

What’s hot on Infosecurity Magazine?