WannaCry, believed to be the largest ransomware attack in history, spread with dizzying speed, infecting more than 200,000 systems in more than 150 countries around the globe, including payment systems in China and other countries.
The attack, which some have sourced to North Korea, initially appeared to target British NHS healthcare institutions. Leveraging a publicly available exploit kit, the attackers inflicted widespread damage across multiple industries by targeting unpatched Windows operating systems that exploited a Windows SMB vulnerability (MS17-010). As customary of ransomware attacks, the resulting WannaCry threat locked files in the computer, requiring victims to pay the perpetrator to regain control of their systems.
However, while WannaCry continues to break new records, the malware likely signals more prolific, destructive and nefarious attacks in the not-too-distant-future.
What’s more, WannCry’s full effect has likely not yet been realized. The reason? The WannaCry attack is still classified as a “known unknown” malware variant.
Specifically, attackers used a publicly available exploit that targeted unpatched systems. Sadly, the attack could have been prevented. Signatures exist for the original attack profile and a baseline had been established for future analysis that should have led to discovery and potential prevention by predictive antivirus platforms had the OS updates been in place.
Looking ahead, organizations should prepare for additional variant attacks from the same malware authors, crime syndicates and additional nation states. And we can expect the next wave will most likely increase in sophistication and proliferation as modifications are made to their infection techniques.
Based on WannaCry’s previous success, it’s likely the next wave of attackers will create a truly unknown-unknown attack, or an attack in which no evidence or indicators of previous malicious intent exist and no known operating system patch has been developed. Unlike WannaCry, this attack will easily evade both unpatched and patched operating systems while predictive defense technologies will likely be blinded without that comparator.
For enterprises, that means ensuring all OS patches are current, including all service packs, hotfixes and security updates.
Organizations regularly behind the patch curve should also deploy a threat agnostic malware defense layer that is able to protect the network from data manipulation, encryption and exfiltration, regardless of operating system status.
Because, in light of this anticipated evolution, the threat landscape will call for solutions to not only stop both known and known-unknown attacks like WannaCry, but the nebulous unknown-unknown attacks expected in the days ahead.
