What do we learn from Wanna Cry?
In May last year a number of high profile organisations had their computer hard drives locked from use when the WannaCry ransomware worm spread across the internet. Supposedly, if these organisations paid a fee in Bitcoin they could have had their files unencrypted and restored to use. The affected sites all had one thing in common: they were all running unpatched Microsoft Windows. WannaCry spread very quickly, but luckily an internet security researcher quickly identified a way to switch it off, giving the systems owners time to resort to backups and apply those all important updates. If you'd like to read a good review of this particular outbreak see: Josh Fruhlinger's article from CSO
The lesson from this is simple: take regular backups and keep your software up to date.
There are other reminders from this outreak, too. Here's my housekeeping list learnt over the years:
- Use strong passwords and two/multi-factor authentication
- Never leave a default password in place but change it to something strong
- Take backups at appropriate intervals and test the restore regularly
- Encrypt your data
- Close off any services you don't use, including microphones, cameras and software services
- Delete user accounts that are no longer needed
- Keep your software up to date
- Don't run software from untrusted sources
- Think and choose carefully when installing new things on your network
- If you're an ISP implement BCP46 on your network and sign up to MANRS
Helpful guides exist in a number of good places. The Australian Signals Directorate has the Essential Eight
From all reports WannaCry didn't actually make much money for the perpetrators compared with the money it cost. Although A$200,000 was the approximate amount according to the Guardian
last year and that's an (in)decent amount in my books. Until the police closed in on the accounts...
Mind you, I don't believe the people who paid got the decryption keys either. So perhaps that's the other big lesson. Don't pay ransoms if you get a ransomware attack.