WannaCry Ransomware: Lessons for the Channel

Evolve IP’s Scott Kinka says user education is most important in the aftermath of the global WannaCry ransomware attack.

Edward Gately, Senior News Editor

May 15, 2017

4 Min Read
WannaCry Ransomware: Lessons for the Channel

Edward GatelyThe massive WannaCry ransomware attack that began Friday, and struck at least 150 countries and 300,000 computers, appeared to be slowing Monday as organizations scrambled to protect themselves.

The software locks computers and users are confronted with a screen demanding a $300 payment to restore their files.

Evolve IP's Scott KinkaScott Kinka, Evolve IP’s chief technology officer, tells Channel Partners that while this “phishing” attempt may have been a new attack that was not necessarily blocked via spam filters, the vulnerability that was exploited has been patched in supported Microsoft operating systems since March. Windows XP devices that were affected have been out of support by Microsoft for some time.

“This was an unsophisticated attack, although slightly unique due to the size/volume,” he said. “The lesson for the channel is that most companies do not have a well-constructed, or well-executed desktop management strategy. This creates learning opportunities regarding the benefits of help desk, RMM (remote monitoring and management) and DRaaS (for those machines that are affected).”

There have been more than 4,000 daily ransomware attacks since early 2016 — a 300 percent increase since 2015. Victims paid a total of more than $24 million to regain access to their data in 2015 alone.

“Understanding and educating on how an attack works is really the area where the channel can help,” Kinka said. “Even …  much of the media has this story wrong. The truth is that this is not a cybersecurity issue exclusively … there’s more to it. It’s also about the mitigation of user risk … proper cybersecurity hygiene. In other words, what is needed here is user education: Don’t open files that are suspect; keep your machines secure with proper patch management; and an effective disaster recovery (DR) plan … as in, have backups or replications that you can restore rather than paying ransom.”{ad}

VIPRE's Usman ChoudharyAny major event like this becomes a referendum on security and disaster recovery, he said.

“So there is a window where the channel can take advantage of the opportunity,” Kinka said. “I personally think that businesses will erroneously make the decision that this (is) a complicated cybersecurity issue and place effort in securing the network perimeter, email, etc. This was not a zero-day attack (meaning an attack that has never been seen before and therefore could not be caught by standard security measures) … this was a vulnerability that has been known and has been patched by Microsoft for some time. I would think that even the attackers (who are likely criminal and not institutional) are even surprised by the widespread nature of the effects of the attack. Truthfully, the results are a referendum on desktop management.”

Usman Choudhary, VIPRE’s chief product officer, said ISPs have a “heavy responsibility to …

{vpipagebreak}

… protect their customers that frankly they have not been following through on.”

“A good example are the distributed denial of service (DDoS) attacks that have wreaked havoc over the last several months — most DDoS attacks involve spoofed IP addresses, which ISPs could do a lot to help filter out of network traffic,” he said. “ISPs could also introduce additional filtering/warning systems. For the WannaCry example, they could have installed SMB filtering or intrusion prevention specifically to block propagation of that attack. There is always the risk of blocking too much, but in a world where hundreds of thousands of known-vulnerable systems are easily scannable on the ISP networks, and each of those known-vulnerable systems, if compromised, could easily infect others, then I think ISPs have an obligation to block fresh new ongoing attacks, at least temporarily (and, arguably, there is zero reason for SMB to be available outside of local networks).”

This global attack likely will be followed by others because there is no particular reason to believe that there’s a shortage of vulnerabilities for attackers to exploit, and no particular reason to believe that the attackers “will get dumber,” Choudhary said.{ad}

The attack was largely preventable, if only more Windows users had installed the security patch that Microsoft released for it two months ago and followed a few other security rules, said Marty Kamden, NordVPN’s chief marketing officer.

“Criminals took advantage of the fact that most people still don’t do enough to protect their computers,” he said.

Read more about:

Agents

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like