More than two years since the WannaCry attack wreaked havoc across the world, the malware is still impacting devices with 40 percent of healthcare organizations suffering a WannaCry attack in the past six months, according to a report from Armis, a security firm.
WannaCry is a ransomware cryptoworm that struck on May 12, 2017, infecting 300,000 computers globally in just a few short days. The hackers leveraged the EternalBlue exploit developed by the NSA, leaked a few months before the attack. While Microsoft released a patch for vulnerable systems months before the attack, many organizations did not apply it.
As a result, the exploit allowed the virus to proliferate, claiming the UK National Health Service as one of the hardest hit victims. A researcher found a killswitch that prevented the malware from spreading, which stopped the cyberattack in four days.
However, the killswitch did not eradicate the virus. The researchers noted that WannaCry was reportedly behind 30 percent of all ransomware attacks during the third quarter of 2018. Further, there were devices infected by WannaCry that weren’t addressed during the attack, which continued its spread to other computers.
“Devices on which WannaCry did not activate are vulnerable to other attacks, as the ransomware’s backdoor, DoublePulsar, remains wide open,” Ben Seri, Armis vice president of research wrote. “Many organizations fail to patch their networks, so any new variant of the ransomware, some of which lack a kill switch altogether, can compromise their security in an unstoppable attack.”
Armis researchers analyzed data from its platform and found that healthcare delivery organizations (40 percent) and the manufacturing industry (60 percent) have experienced at least one WannaCry attack in the last six months.
The industries are prime targets given their reliance upon a large number of older or unmanaged devices that are difficult to patch “due to operational complexities,” Seri wrote. “As it had when it emerged, WannaCry clearly demonstrates the frightening potential which unpatched vulnerabilities have on such devices.”
As noted recently by CHIME, some of the biggest gaps in health IT lie in the sector’s patching issues and data inventory gaps.
To make matters worse, there are new and similar vulnerabilities being discovered on a regular basis. Most recently, Microsoft issued a rare legacy patch to prevent another WannaCry, after researchers discovered a wormable vulnerability like the one used in the global WannaCry attack.
Unmanaged devices operating on outdated operating systems is surprisingly high in the healthcare sector, with nearly 70 percent of organizations operating on Windows 7 or older platforms. Windows 7 will reach its end of life cycle by 2020, which Forescout predicted will leave 70 percent of healthcare devices unsupported by Microsoft.
“It is not a coincidence that these sectors are also the ones affected the most by ransomware like WannaCry, which rely on unpatched devices for their successful operation,” Seri wrote.
“In healthcare organizations, many of the medical devices themselves are based on outdated Windows versions and cannot be updated without complete remodeling,” he added. “These reasons are also the reason many of them don’t run any endpoint security, and thus are even more likely to be compromised by WannaCry, or similar malware.”
To determine just how common the virus is, Armis used a honeypot to lure variants to attack and found 145,000 compromised devices. Seri explained that these new variants may not have the built in kill-switch, which is why WannaCry continues to proliferate.
The researchers also found that there’s roughly one WannaCry attack per second from just the original variants, with the US facing the largest number of attacks.
“A common misconception about WannaCry is that the patch issued by Microsoft stopped the ransomware and its associated exploit, EternalBlue, so they are no longer something we need to worry about,” Seri wrote. “However, that’s not the case.”
“Just as most organizations have not deployed security patches which were made available in the months between the EternalBlue exploit leak and the outbreak of WannaCry, a disturbing number of organizations still haven’t deployed the latest security patches,” he added. “This too will likely go unpatched by most organizations, until an actual threat comes knocking on their doors. By then, unfortunately, it’s often too late.”
While there are a tremendous number of unpatched devices in healthcare, Seri explained that its only a small number unmanaged by frustrated users who’ve disabled agents or uninstalled them due to poor user experience. The bulk of the issues with healthcare’s unmanaged devices stems from unsanctioned IoT and other connected devices that can’t host an agent, but are internet-connected anyway.
Other issues stem from sanctioned business critical devices left on the network without the IT or security team’s knowledge, as well as unauthorized devices that end up on the network under the radar.
“This phenomenon of unmanageable devices results in a critical blind spot because IT and security teams don’t have visibility into their existence at all,” Seri wrote. “This is typically caused by enterprises are surrounded by a new generation of devices that can’t host security agents at all.”
“And despite efforts to stop ransomware attacks on industrial or medical devices, it’s still a fairly common occurrence today,” he added.
Seri recommended that organizations patch these devices to prevent another WannaCry, as it’s better to patch as soon as possible in the long run. When patching can’t be applied (or even if performed), organizations also need visibility onto their network through proper controls and monitoring.
“It is only a matter of time until you forget about a device you’ve left connected somewhere or a network configuration which connected or disconnected it from internal networks,” Seri wrote. “This is why you must maintain a continuous asset inventory of all devices, and monitor your network for unknown, suspicious, or misplaced devices connected to it.”
“Implement solutions capable of monitoring and protecting unmanageable devices, which are extremely vulnerable and prone to attacks – especially those devices you can’t put any agents on,” he added. “Healthcare… environments are rampant with such devices from MRIs to infusion pumps to ventilators… without such solutions, these devices, and consequently your entire network, are sitting ducks for any hacker.”