Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

02:00 PM
Shimon Oren
Shimon Oren
Connect Directly
E-Mail vvv

How to Prepare for 'WannaCry 2.0'

It seems inevitable that a more-powerful follow-up to last year's malware attack will hit sooner or later. You'd better get prepared.

More than a year after it first struck, WannaCry is still one of the most damaging cyberattacks to date. It cost the global economy billions of dollars, although the impact goes far beyond the money.

Although companies incurred substantial monetary damages, WannaCry is the clearest example of the physical impact a malware attack can have on critical infrastructure, such as rail systems and hospitals. This can be the case even when the attack does not target or operate on industrial control systems, medical, or Internet of Things devices. WannaCry was "standard" malware aimed at Windows machines. And yet, it affected day-to-day life by preventing employees from getting to work and patients from receiving uninterrupted medical care.

It's important to understand the longer-term effects of WannaCry on the cyber ecosystem, and what security professionals should be aware of, because we'll likely see "WannaCry 2.0" at some point.

As things stand now, we're currently in the phase of "WannaCry 1.5," which is not causing the same level of damage but is still cause for concern. Every day, mutations (some minimal, others significant) of WannaCry appear and are used by ransom-hungry hacking groups. However, as malware becomes more sophisticated, there is an increased chance that a WannaCry 2.0 will become real. The underlying factors that enabled WannaCry to become so successful to its creators are still relevant:

  • Patching: Organizations are not implementing patching cycles in a timely manner. For example, a patch for EternalBlue was available in March 2017, but WannaCry was still able to infiltrate systems two months later, in May 2017, because of the delayed patching by organizations.
  • Hacker persistence: Zero-day and one-day vulnerabilities are still appearing and being used in the wild. Hackers, including independent and nation-state groups, are looking for the right opportunity to spread a ransomware strain that could have the same (or better) lateral movement capabilities as WannaCry.

This type of looming cyber threat is the "new normal" in today's world, but it's important to understand how we got here, where we are now, and what we can do to better protect against such threats in the future.

Industry and Public Pressure on Government Agencies
The long-term effects of WannaCry are still being felt by many organizations, and it has been a cause for debate both at the enterprise and government level. Industry and public pressure is being put on government agencies, and for good reason. Government agencies have been, for several years now, part of the cyber ecosystem. They no longer enjoy the luxury of public and economic indifference to their cyber-related research and operations, as was the case in the late 1990s and early 2000s. They need to opt for responsible disclosures of vulnerabilities in a way that balances national security interests on the one hand and keeping cyberspace as safe as possible for individuals and corporations on the other. If exploits and vulnerabilities are not in use, or are not needed, they should be disclosed before being discovered or leaked.

Government agencies that discover vulnerabilities must prevent them from leaking and keep them in the hands of the good guys. Secondly, agencies must be timelier in their disclosures. If a vulnerability or an exploit cannot (or can no longer) be leveraged to provide a tangible contribution to national security interests, it should be disclosed. The case should be the same with vulnerabilities that are extremely severe and easily exploitable. If those are leaked or discovered by hackers, the effect could be catastrophic. When surveying the NSA/CIA leaks in the past year or so, it is obvious that some vulnerabilities discovered were held for a long time, and were most likely not used. 

To change this current culture, government agencies must adopt clear policies. Of course, they do not have to disclose everything for the sake of national security, but they must own their faults in order to fix the problem.

Unfortunately, code and capabilities leaked from government agencies are continuously trickling down to everyday malware attacks — WannaCry and EternalBlue, for example. We are seeing malware strains from leaked code happening more frequently and at an expedited pace. Leaked exploits are always a hit in Dark Web hacking forums and find their way even to crypto-miners such as Monero. Attacks will become more sophisticated over time, which puts added pressure on enterprises to implement a strong cyber defense plan.

Implications for the Enterprise
Vulnerabilities are being disclosed on a daily basis, and many enterprises are overwhelmed and cannot patch at the fast pace that's required. This issue keeps many IT professionals and C-level executives up at night as hacker groups look to execute exploits at a mass scale to target employees, customers, and stakeholders.

To help mitigate some of this risk, security professionals within the enterprise must keep the following in mind:

  • Understand vulnerability databases: IT and security professionals need to take the time to understand vulnerabilities and assess how they will affect the company. Conducting a thorough risk factor assessment to verify how fast and serious the threat is will help inform and decide what the next action should be and the appropriate timeline for execution.
  • Out-of-the-ordinary workflow: Timely patching can be a huge burden on an organization, so think of new ways to streamline patching and update systems accordingly. Whether that means dedicating a small team to solely focus on patching or using solutions powered by artificial intelligence to help detect the vulnerabilities. This will leave executives more time to dissect, patch, and properly respond to the threat.

It's just a matter of time until WannaCry 2.0 is here, so understanding the cause of such an attack and having the right processes in place will be crucial for businesses to protect their assets.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Shimon Oren is an experienced cybersecurity professional focused on threat intelligence and process management, and is responsible for leading change processes and organizational transformations. Prior to this role, Shimon worked for the Israel Defense Forces as head of their ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.