When the WannaCry ransomworm hit in May 2017, affected organizations included hospitals, government agencies, universities, and major global corporations in Europe and Asia affecting over 300,000 systems in more than 150 countries. That was just the beginning. In June, NotPetya (GoldenEye), another destructive ransomworm hit hard in the Ukraine, affecting the power grid, shutting down Kiev’s main airport, and then spread outward into Europe and India. Some of the major companies affected included Maersk, DLA Piper, Evraz, Rosneft, Saint Gobain, Mondelez, and the Heritage Valley Health System.
Both of these ransomware attacks had a number of technical similarities, but of those commonalities, there were a few things that should make the hair on the back of your neck stand up.
- The original payload of both ransomworms was delivered through a known vulnerability that was addressed in a patch in April 2017. (See: Security update for Office 2016: April 11, 2017)
- The “worm” side of the ransomware attack used another known exploit that was addressed in a patch in March 2017. (See: Security Update for Microsoft Windows SMB Server: March 14, 2017)
- The secondary infections did not require the original payload to be executed. Both of these ransomworms spread to other computers through the networks of the ground-zero systems.
Both of the identified attack vectors had security patches released before the attacks took place.
“99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.” — Verizon 2015 Data Breach Investigations Report (DBIR)
This means that almost all malware attack vectors are not zero-day exploits. They are exploits derived (in part) by reverse-engineering security patches to determine the most effective way to execute their payload. What this says, and is further acknowledged by the latest Microsoft Security Information Report, is that there are still too many unpatched or out-of-date systems. Yes. Patching is a chore. It is (can be) tedious work and most network administrators cringe at the thought of rolling out untested patches. According to the Security Information Report, over 20% of Windows 7 PC’s are not up-to-date with security and/or patching. Windows 8 and 8.1 unpatched rate is approximately 10%, while Windows 10 is at 5%, and Windows 10 Anniversary Edition is less than 3%.
Considering that Windows 7 still makes up a huge percentage of deployed workplace desktop operating systems, that translates to a lot of reasons for malware authors to continue their malicious assault on the insecure desktop space.
Now, more than ever, we need to appreciate and understand the importance of staying up-to-date with AV and AM sofware, and patching operating systems. And we need to make sure that backup isn’t just a word.
Need help patching? Need to look at your security landscape for your business? I’d love to chat with you.