What should we learn from WannaCry? All of those ransomware outbreaks we have been dealing with since last year were overshadowed this past week by WannaCry.  This has been called the most destructive attack ever.  The most concerning part is that was how bad it was but the US wasn’t hit that hard.  When these kinds of things happen it is always a good idea to review what you learned from the outbreak and any necessary changes you need to make to protect you from this one happening to you.  What should we learn from WannaCry?

Episode 104 makes it officially 2 years!

HIPAA For MSPs What Should We Learn From WannaCry?
00:00:00 00:00:00

In this episode:

WannaCry

Disable SMBv1

Five tips from Databraches.net on stopping this attack if it hits you.

Boot Camp recap

  • Some things we will change but overall really good feedback
  • Shout out to all of the grunts
  • Working on the when and where for doing it again

Amazon give away

  • Anton wins
  • Creative entries from some folks
  • Lots of single entries and then boot campers got 3 each

Speaking

  • South GA MGMA – June 21, 2017, Valdosta, GA
  • The Atlanta Association of Legal Administrators – July 19, 2017, Atlanta, GA
  • North Metro MGMA – Oct 17, 2017, Kennesaw, GA
  • Georgia Association of Orthopedic Executives, Nov 2017

Wannacry Timeline

  • Friday lunch break, Daniel the camera guy, shows us an alert about NHS in England getting hit.
  • We review it a bit but had no idea what was coming at that point
  • Everyone started getting alerts that the thing was spreading like wildfire
  • Ironically, the session we did after lunch was responding to a Ransomware attack
  • There are still concerns that it is morphing and will grow again but for now, it has been slowed down.
  • Already called one of the most destructive cyber attacks we have ever seen

With all that activity it is certainly a case you should follow even if you didn’t get hit.  So….

What should we learn from WannaCry?

First, what is this thing?

  • Uses the NSA tools from Wikileaks
  • Uses a known Microsoft vulnerability to spread across a whole network if it can just get a toehold when one user clicks on the phishing email (some may have been by RDP)
    • Estimates of 200,000 infections worldwide in one day

A financial times article had a great timeline article.

  • Timeline
    1. On Friday morning Spanish mobile operator Telefónica 1st large organization to report WannaCry attack
    2. By late morning, hospitals and clinics across the UK began reporting problems to the national cyber incident response center
    3. In Europe, French carmaker Renault was hit; in Germany, Deutsche Bahn became another high-profile victim
    4. In Russia, the ministry of the interior, mobile phone provider MegaFon, and Sberbank became infected.
    5. Although WannaCry’s spread had already been checked, the US was not entirely spared, with FedEx being the highest-profile victim

What has stopped it for now

  • Researcher registered a domain name
  • Microsoft released patches for XP, 2003, & 2008
    • Note to self – if you had blocked internet access for those machines they wouldn’t have been stopped by the researcher’s domain fix
    • Same goes for blacklisting

What are the lessons?

While we are asking ourselves “What should we learn from WannaCry” maybe everyone else hasn’t yet.  Here is our list of things we learned and should evaluate further.

  • NSA leaks look like they are something that may bite us all at one point or another since even more came out today
  • NSA kept the info from Microsoft who didn’t fix it until after it was released
    • Microsoft patched active support systems in March
  • HIPAA patch management rules would protect you from the worst of it
  • Windows XP, 2003, 2008 are a big problem if they are out there
  • Disable the Windows SMBv1 feature

Databreach Today had a good 5 point list of how to stop it

  1. Install MS17-010
  2. Install XP, etc. emergency windows patch
  3. Disable SMBv1
  4. Block SMBv1
  5. Shutdown

NSA leaks led to Wannacry outbreak in just a few weeks.  The criminals haven’t finished using the spy tools.  Wanna cry is just the beginning of a whole new wave and style of attacks.  I think this one was so successful it even stunned the creators. They had no idea it would be that successful.  Everyone should be thanking the tech who saved the world with one discovery and quick response.  The US was lucky this time.  It could have been way worse than it has been so far.  What should we learn from WannaCry?  We should get busy because the criminals certainly have new toys to play with and use against us.

Remember, HIPAA is not about compliance, it’s about patient care.