It didn’t have to happen.
That’s the simple yet profound lesson from WannaCry’s ransomware rampage that has infected 300,000-plus systems in more than 150 countries, disrupting critical operations across industries, including healthcare, government, transportation and finance.
If vulnerable systems had been patched and maintained as part of a proactive and comprehensive system configuration and vulnerability management program, the attack would have been a dud, barely registering on anyone’s InfoSec radar.
“WannaCry was totally preventable with the proper patching and the proper build configurations,” Qualys’ Chief Information Security Officer (CISO) said during a webcast this week. “That’s a reminder to all of us that you didn’t have to be a victim.”
There are various workarounds for mitigating the underlying WannaCry vulnerability, but those are stopgap measures. "The primary way to remediate this vulnerability is through disciplined and timely patching," Qualys Product Management Director Jimmy Graham said during the webcast, titled "How to Rapidly Identify Assets at Risk to WannaCry Ransomware."
The WannaCry ransomware — formal name WanaCrypt0r 2.0 — spreads using an exploit called EternalBlue for a Windows OS vulnerability that Microsoft patched in March.
The vulnerability, in Windows’ SMB (Server Message Block) protocol and described in security bulletin MS17-010, was rated “Critical” at the time by Microsoft due to the potential for attackers to execute remote code in affected systems.
The EternalBlue exploit was developed by the U.S. government’s NSA (National Security Agency) and stolen by the Shadow Brokers hacker group, which released it along with many other NSA exploits in April.
By combining the instant disruption of ransomware — encrypting files on affected systems — with a worm’s agility to spread quickly and laterally, WannaCry unleashed the mayhem that began on Friday.
“This was a very widely deployed campaign and it happened relatively quickly,” he said. “We’ll see more of this type of attack patterns.”
Already, a new version of WannaCry has been released that, unlike the first one, isn’t susceptible to a “kill switch” domain, and other ransomware like Uiwix, has started using the exploit.
During the webcast, Graham outlined several takeaways for InfoSec teams from WannaCry, including:
“Visibility is an absolutely fundamental requirement,” he said.
Key to compiling a complete IT asset inventory is using both network based scanners and system agents.
Scanning is great for giving organizations total coverage of their internal environment, but agents provide additional helpful data and are important for systems like workstations, especially if they’re laptops that are intermittently connected to the network, Graham said.
At this point, Qualys’ internal data shows that 47.3% of Windows hosts are still unpatched and almost 6% of detected Windows installations are unsupported – or “end of life” – versions. “That’s positive progress, but there is still work to do,” he said.
“We’ll need to move to a faster response capability,” he said.
“If, for whatever reason, there is an exploit that gets in and you have systems that are taken advantage of and compromised, what’s your recovery plan?” he said.
Qualys has added a full set of QIDs and capabilities for dealing with this situation, dating back to March when Microsoft issued its first patch for the Windows SMB vulnerability (QID 91345), as well as for the EternalBlue exploit and for the emergency Microsoft patch for unsupported Windows versions. More detailed information can be found here:
With Qualys’ AssetView, Vulnerability Management and ThreatPROTECT, organizations can generate a complete IT asset inventory — all hardware and software on premises, in the cloud and mobile endpoints — continuously detect their vulnerabilities using scanners and agents, and help continually prioritize remediation.
All IT and security data is stored and analyzed in the highly-scalable, centrally-managed Qualys Cloud Platform, and is accessible via a robust search engine, can be visualized via customizable dashboards and widgets, and shared through reports tailored for different stakeholders.
Listen to the webcast to get in-depth explanations about the WannaCry attacks, learn best practices for prevention and response, and find out how AssetView, VM and ThreatPROTECT keep your organization safe from this and other cyber threats.