What is WannaCry2? A rapidly spreading cyberattack that was first detected in March and has impacted businesses in nearly 100 countries. Currently, the source of the attack is unknown. The WannaCry2 attacks have crippled critical infrastructure, including hospitals, telecommunications and distribution/supply chain services.
The scale of this attack was possible because of a vulnerability in the Microsoft Windows Operating System. Although it began like any routine phishing scheme - in which a user clicks on a bad link and malware takes over - WannaCry2's exploitation of the Windows vulnerability enabled it to spread with great speed from one workstation to a network of users. As a result, it was an attack of one-to-many versus standard phishing attacks, which typically infect one user at a time. While the attack appears disabled now, we expect hackers to reanimate it rapidly, and organizations need to prepare fast.
Broad implications: The implications of the design of this one-to-many attack are profound. Organizations around the world need to understand the elements of these attacks and be prepared for copycat attacks with new twists. While ransomware - the criminal practice of stealing data and not returning it to its owner until a ransom payment is made - was the profit-gaining tactic of choice, criminals could shift to new tactics and schemes in the future. For example, they could use the one-to-many attack scheme through the Microsoft vulnerability to steal personally identifiable information or embed Remote Access Trojans.
Impact on IBM Security clients: When the Windows vulnerability was detected in March, IBM X-Force security researchers helped to ensure that IBM Security clients were protected. Those using IBM's BigFix security patching or QRadar Network protection technologies were better protected. At the same time, Watson for Cyber Security analyzed alerts on the attack and fed data to our customers and our Managed Security Operations Centers.
Protective actions for all enterprises: Take steps to prevent such attacks, or to get help now:
- Patch systems immediately to prevent attacks. For example, IBM's BigFix solution automatically deployed the patch for WannaCry2 several weeks ago.
- Deploy Security Intelligence systems to detect attacks, such as Watson for Cyber Security.
- Ensure your employees, suppliers and others who work with your company receive regular security training, such as how to spot suspicious emails.
- Refer to X-Force Ransomware Response Guide to evaluate organizational readiness
- Follow the updates on X-Force Exchange and SecurityIntelligence.com
- If you have been impacted by the WannaCry2 attacks, call IBM X-Force Incident Response Hotline: 1-888-241-9812 US, (001) 312-212-8034 Outside the US
Additional IBM Background on Ransomware:
In 2016, ransomware emerged as one of the leading cybersecurity threats to both businesses and consumers. The ransomware actors are opportunistic and financially motivated. The FBI estimated that in just the first 3 months of 2016, cybercriminals made a reported $209 million. This would put criminals on pace to make nearly $1 billion in 2016 from their use of the malware. Compared to 2015, ransomware brought in $24 million for all of 2015 - that's a dramatic 771% increase from 2015 to 2016.
IBM X-Force researchers have identified that ransomware was included in nearly 40% of all spam emails sent in 2016, up from less than 0.6% in 2015 - a significant 6,000% increase in the spread of the extortion tool.
IBM commissioned a study, "Ransomware: How Consumers and Business Value Their Data" that surveyed 600 business leaders and more than 1,000 consumers to understand how they value their data, their experiences with ransomware, and if they have ever paid the ransom.
Business Executives
70% of businesses impacted by ransomware paid cybercriminals to regain access to business data and systems - over half of those paid over $10,000...20% paid over $40K.
Nearly 1 in 2 of business executives have experience with ransomware attacks in the workplace
Nearly 60% of all business executives indicated they would be willing to pay ransom to recover data.
The data types they were willing to pay for included financial records, customer records, intellectual property and business plans.
25% of business executives said, depending upon the data type, they would be willing to pay between $20,000 and $50,000 to get access back to data.
Only 29% of small businesses have experience with ransomware attacks compared to 57% percent of medium size businesses.
The study found that only 30% of small businesses offer security training compared to 58% of larger companies.
Consumers
Consumers motivated to pay when financial information, digital family memories threatened
While over 50% of consumers initially indicated they would not pay the ransom, when asked about specific data types their willingness to pay began to increase;
54% indicated they would likely pay to get financial data back
43% were willing to pay for access back to their mobile device
More than half (55%) of parents would be willing to pay for access to digital family photos vs. 39 percent of respondents without children.
When asked to put a value on different types of data, 37% of consumers said they would pay over $100 to get data back. For comparison, IBM X-Force typically sees ransomware demanding approximately $500 or higher, depending upon the victim.
Parents More Willing to Pay: IBM's analysis determined that parents are more motivated to pay due to sentimental value and children's happiness.
39% of parents have experience dealing with ransomware while overall 29% of non-parents indicated some experience.
71% of parents were most concerned about their family digital photos and videos being threatened with only 54% of non-parents showing the same concern.
Overall, 55% of parents would pay for access back to the photos while only 39% of non-parents would pay.
Access to gaming devices, likely used by children, was also highly ranked by parents as most concerning to them. In fact, it was second to photos and video with 40% of parents worried about losing access to these devices versus 27% of non-parents.
Quick Prevention Tips:
Be Vigilant: If an email looks too good to be true, it probably is. Be cautious when opening attachments and clicking links.
Backup Your Data: Plan and maintain regular backup routines. Ensure that backups are secure, and not constantly connected or mapped to the live network. Test your backups regularly to verify their integrity and usability in case of emergency.
Disable Macros: Document macros have been a common infection vector for ransomware in 2016. Macros from email and documents should be disabled by default to avoid infection.
Patch and Purge: Maintain regular software updates for all devices, including operating systems and apps. Update any software you use often and delete applications you rarely access.
To report a cybercrime, including becoming the victim of ransomware:
In the U.S. report via the FBI's Internet Crime Complaint Center (IC3): https://www.ic3.gov/default.aspx
In Europe report via Europol's Cybercrime Reporting website: https://www.europol.europa.eu/report-a-crime/report-cybercrime-online
Quick Links:
Security Intelligence Blog Post: https://ibm.co/2qkGf9g
Internal IBM Security Blog Post: https://w3-connections.ibm.com/blogs/11e57de9-d4e4-41cd-ae2a-f01b0f628085/entry/Draft_for_Stacy?lang=en_us
Ransomware Response Guide: https://ibm.co/2rfMI4E
Ransomware Report Link: https://ibm.biz/RansomwareReport
Ransomware Report Press Release: http://www.ibm.com/press/us/en/pressrelease/51230.wss
Ransomware Report Infographic: ibm.biz/BdsSU9
The scale of this attack was possible because of a vulnerability in the Microsoft Windows Operating System. Although it began like any routine phishing scheme - in which a user clicks on a bad link and malware takes over - WannaCry2's exploitation of the Windows vulnerability enabled it to spread with great speed from one workstation to a network of users. As a result, it was an attack of one-to-many versus standard phishing attacks, which typically infect one user at a time. While the attack appears disabled now, we expect hackers to reanimate it rapidly, and organizations need to prepare fast.
Broad implications: The implications of the design of this one-to-many attack are profound. Organizations around the world need to understand the elements of these attacks and be prepared for copycat attacks with new twists. While ransomware - the criminal practice of stealing data and not returning it to its owner until a ransom payment is made - was the profit-gaining tactic of choice, criminals could shift to new tactics and schemes in the future. For example, they could use the one-to-many attack scheme through the Microsoft vulnerability to steal personally identifiable information or embed Remote Access Trojans.
Impact on IBM Security clients: When the Windows vulnerability was detected in March, IBM X-Force security researchers helped to ensure that IBM Security clients were protected. Those using IBM's BigFix security patching or QRadar Network protection technologies were better protected. At the same time, Watson for Cyber Security analyzed alerts on the attack and fed data to our customers and our Managed Security Operations Centers.
Protective actions for all enterprises: Take steps to prevent such attacks, or to get help now:
- Patch systems immediately to prevent attacks. For example, IBM's BigFix solution automatically deployed the patch for WannaCry2 several weeks ago.
- Deploy Security Intelligence systems to detect attacks, such as Watson for Cyber Security.
- Ensure your employees, suppliers and others who work with your company receive regular security training, such as how to spot suspicious emails.
- Refer to X-Force Ransomware Response Guide to evaluate organizational readiness
- Follow the updates on X-Force Exchange and SecurityIntelligence.com
- If you have been impacted by the WannaCry2 attacks, call IBM X-Force Incident Response Hotline: 1-888-241-9812 US, (001) 312-212-8034 Outside the US
Additional IBM Background on Ransomware:
In 2016, ransomware emerged as one of the leading cybersecurity threats to both businesses and consumers. The ransomware actors are opportunistic and financially motivated. The FBI estimated that in just the first 3 months of 2016, cybercriminals made a reported $209 million. This would put criminals on pace to make nearly $1 billion in 2016 from their use of the malware. Compared to 2015, ransomware brought in $24 million for all of 2015 - that's a dramatic 771% increase from 2015 to 2016.
IBM X-Force researchers have identified that ransomware was included in nearly 40% of all spam emails sent in 2016, up from less than 0.6% in 2015 - a significant 6,000% increase in the spread of the extortion tool.
IBM commissioned a study, "Ransomware: How Consumers and Business Value Their Data" that surveyed 600 business leaders and more than 1,000 consumers to understand how they value their data, their experiences with ransomware, and if they have ever paid the ransom.
Business Executives
70% of businesses impacted by ransomware paid cybercriminals to regain access to business data and systems - over half of those paid over $10,000...20% paid over $40K.
Nearly 1 in 2 of business executives have experience with ransomware attacks in the workplace
Nearly 60% of all business executives indicated they would be willing to pay ransom to recover data.
The data types they were willing to pay for included financial records, customer records, intellectual property and business plans.
25% of business executives said, depending upon the data type, they would be willing to pay between $20,000 and $50,000 to get access back to data.
Only 29% of small businesses have experience with ransomware attacks compared to 57% percent of medium size businesses.
The study found that only 30% of small businesses offer security training compared to 58% of larger companies.
Consumers
Consumers motivated to pay when financial information, digital family memories threatened
While over 50% of consumers initially indicated they would not pay the ransom, when asked about specific data types their willingness to pay began to increase;
54% indicated they would likely pay to get financial data back
43% were willing to pay for access back to their mobile device
More than half (55%) of parents would be willing to pay for access to digital family photos vs. 39 percent of respondents without children.
When asked to put a value on different types of data, 37% of consumers said they would pay over $100 to get data back. For comparison, IBM X-Force typically sees ransomware demanding approximately $500 or higher, depending upon the victim.
Parents More Willing to Pay: IBM's analysis determined that parents are more motivated to pay due to sentimental value and children's happiness.
39% of parents have experience dealing with ransomware while overall 29% of non-parents indicated some experience.
71% of parents were most concerned about their family digital photos and videos being threatened with only 54% of non-parents showing the same concern.
Overall, 55% of parents would pay for access back to the photos while only 39% of non-parents would pay.
Access to gaming devices, likely used by children, was also highly ranked by parents as most concerning to them. In fact, it was second to photos and video with 40% of parents worried about losing access to these devices versus 27% of non-parents.
Quick Prevention Tips:
Be Vigilant: If an email looks too good to be true, it probably is. Be cautious when opening attachments and clicking links.
Backup Your Data: Plan and maintain regular backup routines. Ensure that backups are secure, and not constantly connected or mapped to the live network. Test your backups regularly to verify their integrity and usability in case of emergency.
Disable Macros: Document macros have been a common infection vector for ransomware in 2016. Macros from email and documents should be disabled by default to avoid infection.
Patch and Purge: Maintain regular software updates for all devices, including operating systems and apps. Update any software you use often and delete applications you rarely access.
To report a cybercrime, including becoming the victim of ransomware:
In the U.S. report via the FBI's Internet Crime Complaint Center (IC3): https://www.ic3.gov/default.aspx
In Europe report via Europol's Cybercrime Reporting website: https://www.europol.europa.eu/report-a-crime/report-cybercrime-online
Quick Links:
Security Intelligence Blog Post: https://ibm.co/2qkGf9g
Internal IBM Security Blog Post: https://w3-connections.ibm.com/blogs/11e57de9-d4e4-41cd-ae2a-f01b0f628085/entry/Draft_for_Stacy?lang=en_us
Ransomware Response Guide: https://ibm.co/2rfMI4E
Ransomware Report Link: https://ibm.biz/RansomwareReport
Ransomware Report Press Release: http://www.ibm.com/press/us/en/pressrelease/51230.wss
Ransomware Report Infographic: ibm.biz/BdsSU9
