May 12, 2017 now marks an unwelcome milestone in hacking history; the largest-ever ransomware attack occurred that day, affecting thousands of private and public sector agencies across 150 countries. No one has claimed responsibility for the attack—dubbed “WannaCry”—but it is a sobering reminder of how vulnerable our computer systems can be, whether we are individual computer users, large corporations, non-profits or vast government agencies. Britain’s National Health Service was one of the most affected by the massive ransomware attack, but the attack also wreaked havoc with companies such as FedEx, Renault, Telefónica and MegaFon.
Ransomware can encrypt files, or gain control of devices that are connected to the Internet of Things (such as electrical grid controls or patient medical devices at a hospital). Encrypted files are less of a concern only if an organization has redundant backups and data security systems in place. It can be a lucrative form of cyber extortion; most attackers demand a ransom that is in proportion to what the breach will cost the target in terms of reputation, productivity, revenue or, in the case of a hospital, patient safety.
The hackers don’t even have to gain control of all systems or files; just the proof that hackers have gotten “inside” a network and could do more damage is often enough to scare an organization into paying a ransom fee. Hackers scale their demand according to how much the victim is willing and able to pay. In this most recent attack hackers’ messages demanded $300 in bitcoin ransom. It’s not known how many organizations paid the ransom, or whether the hackers unlocked the data they held hostage.
There are several aspects of this ransomware attack that are cause for alarm:
- The malware spread quickly and easily
- It spread broadly across the globe
- It dramatically impacted daily operations for those who were infected
- Security experts suspect that it is connected to a U.S. National Security Agency spy tool that was leaked
- It may inspire similar but different copycat attacks.
Quoted in the New York Times, Chris Camacho, the chief strategy officer at Flashpoint, a New York security firm tracking the attacks, said
“There is going to be a lot more of these attacks,” he said. “We’ll see copycats, and not just for ransomware, but other attacks.”
This time around, the malware was circulated by a phishing email, so it appears there was no link between this ransomware attack and a DDoS attack. However, it is known that a DDoS attack is often a pre-cursor to a ransomware attack. Rather than launching large, volumetric attacks that cripple a website, hackers launch small, stealthy “smokescreen” attacks that are just disruptive enough to knock a firewall or intrusion prevention system (IPS) offline so that the hackers can target, map and infiltrate a network to install malware. Often the attacks are so small that they go unnoticed by IT security staff or legacy DDoS protection systems.
Short DDoS attacks might seem harmless, in that they don't cause extended periods of downtime. But IT teams who choose to ignore them are effectively leaving their doors wide open for ransomware attacks or other more serious intrusions. To keep up with the growing sophistication and organization of well-equipped and well-funded threat actors, it's essential that organizations maintain a comprehensive visibility across their networks to detect and block any potential DDoS incursions as they arise.
For more info, contact us.