The recent global ransomware attack WannaCry locked up more than 200,000 computers in more than 150 countries over the weekend, including high-profile attacks on Britain's health system and global shipper FedEx.
Australia escaped the worst of the attack, though there have been reports of eight Australian SMBs affected. Local Australian security service providers told CRN how they had responded and what customers should do to protect their networks.
Sententia cyber security practice director Tony Vizza told CRN that failure to apply security updates was a big part of the problem. "A lot of what has been happening with this attack happened because systems hadn't been patched."
Vizza said organisations should focus on the basics: updating unpatched systems.
"WannaCry targets old machines that are unsupported. There need to be awareness about upgrading machines to current operating systems."
Australians were lucky to dodged the worst of the global attack, but "if something quicker comes our way, we would be in trouble, especially health systems", said Vizza.
Patch, patch, patch
Adam Barker, technical director of Adelaide-based SecureWare, said the key point was patching.
"I have personally been telling people for at least the past eight years that patching is at the top of the list of things people should be doing but don't," Barker told CRN.
Customers face ransomware all the time, especially in Australia, said Barker – but WannaCry was different. "The interesting thing is that there is a worm functionality. You need exploit mitigation tools on old unsupported machines," Barker said.
"The takeaway is that educating users is really important. I think the culture is slowly changing with the media helping the community understand the threat and people being careful to what they click on."
Many have praised the British-based researcher who inadvertently stopped the outbreak.
The researcher, who tweets under @MalwareTechBlog, stumbled onto a way to temporarily limit the spread of the malware. He "sinkholed" the ransomware by registering a web address coded into the malware. This "kill switch" bought time for organisations to patch vulnerable systems.
Joseph Mesiti, sales director of North Sydney-based Enosys, said collaboration within the infosec community helped prevent a further catastrophe.
"The story for our team was about the community… at a time of great need people opened up their research. The security community as a whole shared information on threat-exchanges, Twitter, PasteBin and every other medium they could find to help. Vendors released research without requiring logins to customer portals," Mesiti said.
Enosys also played its part. Mesiti told CRN that his team spent Saturday morning sharing information with others, exchanging screenshots with colleagues interstate and aggregating IOCs [indicators of compromise] they felt might help.
"In the spirit of 'many hands make light work' the information from the community helped our customers – some of them considered critical infrastructure – to have rapid risk assessments and gap analysis performed before most people had finished their first coffee of the morning," Mesiti added.
Jon Paior, founder and chairman of Adelaide-based Geek, also commended the spirit of collaboration. "I have been very encouraged by the channel’s response. The entire channel mobilised quickly to effectively disseminate information and patch machines. Everyone in the industry I have seen is taking with the level of severity it deserves."
The old rules still apply
Sydney managed services provider eNerds updated its CryptoShield and its proprietary product CryptoAlert to combat the virulent strain of ransomware.
Chief executive Jamie Warner told CRN that all eNerds' clients received a set of recommendations. He warned customers to remain vigilant and avoid clicking on any links sent over email before checking this came from a trusted sender.
Be ready for next attack
Geek's Paior warned that the threat, although currently contained, was likely to return. "While that [kill switch] has stopped this iteration of WannaCry from accelerating its attack, it will be back," he said.
"It’s very likely that someone will reverse engineer this ransomware worm to generate an updated version, which you can guarantee will not contain a kill switch," Paior said.
Of the 1500 computers that Geek monitor, only two to three percent were vulnerable and the company is in contact with those customers to make sure their systems are patched.
Government cyber weapons
Paior said governments must be careful as they develop cyber weapons. WannaCry has been linked to NSA spy tools leaked by hacker group Shadow Brokers.
"It seems that this particular vulnerability was a zero day vulnerability the US government had found and stockpiled, presumably to use it as an offensive weapon, in order to keep us safe. However when they themselves had their data compromised, the stockpiled weapon was able to be used against the very people and infrastructure that the government was intending to protect.
"This is the single biggest event in the cyber security landscape to date," said Paior, comparing it to another NSA-linked worm purportedly developed to attack Iran's critical infrastructure.
"This is the wake-up call that the general population ignored when Stuxnet was revealed," he said.
"There has to be a much broader discussion about governments and how they handle the weapons they develop. History could very well record this as one of this generation’s pivotal moments. The moment when a government weapon fell into the wrong hands and went rogue."