Protecting Against Ransomware Like WannaCry Means Timely Patching

WannaCryFred-header.jpg

According to the FBI, ransomware was the fastest-growing malware across all industries in 2016, and is on track to be an $1 billion crime in 2017.

The “WannaCry ransomware” (aka “Wana Decrypt0r” “WCrypt” and “WannaCrypt” among ITS various other aliases) has affected an estimated 200,000 computers across the world and continues to do so, although the infection seems to be slowing.

Almost exactly two months ago, on March 14, Microsoft released a security update to patch the vulnerability that WannaCry exploits. While the patch protected users who had enabled their computers to apply updates, many computers around the world remained unpatched and vulnerable. As a result, hospitals, businesses, governments, and home computers were — and continue to be  affected by WannaCry.

Security researchers estimated that nearly 57,000 computers in more than 150 countries were infected by the end of the day on Friday. As of Monday morning, more than 200,000 systems around the world are believed to have been infected.

One cybersecurity firm estimates that extortive attacks now cost small and medium companies at least $75 billion in expenses and lost productivity each year. And things are probably going to get worse before they get better. Ransomware tactics and tools are no longer restricted to the dark corners of the web, but are becoming increasingly accessible through open source software channels such as the “Hidden Tear” open source ransomware building toolkit. Even black hat entrepreneurs are getting into the act, offering one-stop-shopping with Ransomware-as-a-Service (RasaS). With RaaS, budding extortionists no longer need to build and maintain their own malware, develop an infrastructure, or manage an attack — all they need to do is sign up at a RaaS site and pay a percentage of their take as a service fee.

“This attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems.” 
~ Brad Smith - President and Chief Legal Officer, Microsoft

Whether Open Source or Proprietary Code, You Need to Patch, Patch, Patch 

Whether open source or proprietary code, most known vulnerabilities have patches available on the date of their disclosure. Despite the availability of patches  like the one issued by Microsoft that could prevent a WannaCry attack  an alarming number of companies and individuals simply do not apply them. Two months after Microsoft issued its security patch, thousands of computers remain vulnerable to the WannaCry exploit for a variety of reasons, ranging from the use of bootleg software to simple indolence.

Patches sometimes aren’t applied because of lack of IT time, money, and resources or concerns that the patch might break a currently-working system. Each time a patch is introduced, changing a system can impact its reliability and functionality. Healthcare organizations, for example, will put functionality and uptime as a higher priority than security, and in doing so expose themselves to attack on unpatched  and vulnerable  applications.

Push vs. Pull in Software Updates

In some cases, it’s a lack of insight  people or organizations are simply unaware of a critical vulnerability or its patch until they’re under attack. While software vendors like Microsoft can “push” updates and fixes out to users, that requires a computer has been set to accept those updates. The reality is that many businesses and individual users keep the auto update feature turned off, as the sheer volume of updates can be overwhelming and annoying.

Unlike most proprietary software, open source has a “pull” support model   users are responsible for keeping track of vulnerabilities as well as fixes and updates for the open source they use rather than having those fixes “pushed” out to them. Unless an organization is aware that a vulnerable open source component is included in its application(s), it’s highly probable that that component will remain unpatched.

96 percent — of the 1,000+ applications scanned to compile our annual Open Source Security and Risk Analysis (OSSRA) report contained open source componentsGiven that open source is at the core of commercial application development, it should be no surprise that almost all  96 percent  of the 1,000+ applications scanned to compile our annual Open Source Security and Risk Analysis (OSSRA) report contained open source components. What may come as a surprise is that 67 percent of the applications containing open source also had known vulnerabilities – making them prime targets for the next WannaCry.

From an industry level, the results of the OSSRA report are even more alarming. The Retail and E-commerce space had the highest proportion  83 percent  of applications containing high-severity open source vulnerabilities. The Financial Services and FinTech industry had the highest   53 percent average vulnerabilities per application, with 60 percent of those applications containing high-risk vulnerabilities. Ironically, the audits also revealed that Cybersecurity applications had a disturbingly high incidence  59 percent  of high-risk vulnerabilities.

These vulnerabilities (and, in most cases, their patches) had, on average, been publicly disclosed for slightly over four years, giving would-be hackers a ripe target, as organizations fail to patch or update vulnerable open source components  often because they don’t realize those components live inside their applications.

Open Source Security & Risk

With open source existing in almost 100 percent of today’s applications, and with applications the #1 target of cyberattacks, how long will it be till the next WannaCry uses the open door of an unpatched open source vulnerability? We all have a lot of work to do to close the cybersecurity gap. As Brad Smith of Microsoft noted in response to WannaCry, “… cybersecurity has become a shared responsibility between tech companies and customers.”

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & WannaCry News

| May 19, 2017

This week’s news is dominated by fall-out and reaction from last week’s WannaCrypt/WannaCry attacks, of course, but other open source and cybersecurity stories you won’t want to miss include: An important open source ruling that confirms the enforceability of dual licensing. What New York’s new

| MORE >

Struts in VMware, Law Firm Cybersecurity, Hospital Data Breaches

| May 12, 2017

The need for cybersecurity vigilance is the overarching theme of this week’s news, as Google OSS-Fuzz finds more than 1,000 bugs, with 264 of them flagged as potential security bugs. The vuln that just keeps on strutting has impacted VMware products. Thousands of patient records are leaked in a

| MORE >