WannaCry, the newest threat to cyber security, combines the potent aspects of both ransomware and worms with devastating impact. rn Friday, May 12th, the “WannaCry” network worm joined the ranks of Conficker and Code Red. It’s infected tens of thousands of systems worldwide, and climbing. Among those victimized were England’s National Health Service, automobile manufacturers, and government systems. The worm’s ominous red ransom screen, informing the user that all files have been encrypted, was found not only on users’ desktops, but also on ATM screens, parking meters, digital billboards, and industrial control systems interfaces. College textbooks on computer security have a table of terms for malicious software, including “virus,” “worm,” “Trojan horse,” and (more recently) “ransomware.” Neatly-defined categories are useful when a professor wants to give a multiple-choice test, but the real world is no longer so well-defined. WannaCry combines the defining characteristics of both ransomware and worms. The Dangerous Combination of Ransomware and Worms SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe A network worm is a type of malicious software that spreads from machine to machine, autonomously, typically using some common vulnerability. Worms that infect large numbers of hosts are not as common as other types of malware, since it requires a reliable exploit for a wide-spread vulnerability that has a public attack surface. The recent Server Message Block (SMB) vulnerability in Microsoft Windows has readily-available exploit code and, despite being patched in March by Microsoft, many organizations have not updated their systems with the fix. This gives WannaCry a target-rich environment in which to spread. Most users and organizations are more familiar with ransomware than worms—in fact, many have first-hand experience. Combining the rapid and broad spread of a network worm with the damage and monetary demands of ransomware can make for a painful world-wide incident. In a post several months ago, I discussed the evolution of ransomware away from spreading mechanisms that rely on “tricking” the user, towards exploitation of IT infrastructure vulnerabilities. Who is to blame? The knee-jerk reaction of the security community is to point the finger at the victims: they should have already applied the patches that fix the SMB vulnerability. The patches have been available for a couple months now. Still some contend that this is not a realistic expectation. There are devices that cannot be patched easily by the end user (including medical devices and manufacturing equipment), and there is also software that must be tested extensively before being run on a modified operating system. To Patch or Not to Patch Should you patch? The answer to this seems obvious, but is more nuanced. When a security advisory is published, you should patch as many systems as you can, as soon as you can. The security industry’s advice to clients can’t end there, however. You already know that patches occasionally cause as many problems as they fix: destabilizing systems and causing incompatibility with software and hardware. A balance has to be struck where the majority of systems—those running typical desktop software—get patched automatically and quickly, while testing is performed to determine if the patch is safe for the more mission-critical systems. A decision should be made for critical security advisories: is the risk presented by a new patch greater than the certainty of getting infected with something like WannaCry if the patch is not applied? Implications of Not Patching The decision not to patch a system, such as an old workstation connected to a medical imaging device, is not to be taken lightly. You might be forced to maintain a vulnerable software version by incompatibilities and lack of support by the vendor. That means you have to take further action to secure that system. Network segmentation and isolation are key elements of defending these systems. So implement firewalls and access controls that prevent other systems from communicating with these vulnerable devices unless they have an operational need to do so. Future outbreaks of malicious software are likely to contain damaging and expensive ransomware payloads. Keeping up-to-date with operating system and software patches is important. When it’s not possible to patch, it’s your responsibility to implement security controls and intensive monitoring around the otherwise-vulnerable systems – or reap the consequences. Related content brandpost Modern Cyberattacks: Tradecraft on Your Network Cyberattacks donu2019t always trip the sensors, alerts, and level of traffic set by network security. In reality, your most dangerous cyberattackers are likely to be operating under your radar.rn By Wesley McGrew Jul 27, 2017 3 mins Security brandpost Being a Compliant Victim of Cybercrime Security must extend beyond mere compliance to protect the entirety of your business. Weu2019re talking about offense-oriented testing of your whole network. rn By Wesley McGrew Jul 27, 2017 2 mins Security brandpost Cybersecurity Spending: Are You Patching Holes or Checking Boxes? Cybersecurity spending is a complex question that really comes down to your needs. There is always a vendor waiting in the wings to sell you anything, so ask these key questions before you make any investment. rn By Brad Fuller, Director of Operations Jul 20, 2017 4 mins Security brandpost Their Breach is Your Breach As password policies become ever-stronger, users have a more difficult time committing them to memory. The most popular workaround is password reuse, a technique that hackers can leverage to breach your systems and servicesu2014as easily as those you By Wesley McGrew Jul 18, 2017 3 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe