If you didn’t like WannaCry, you’re really going to hate the sequel. Like the Godfather and Star Wars movie franchises, the second installment of “the world gets its bell rung by ransomware” is way better than the original.
In the May WannaCry ransomware attack, users running obsolete versions of Microsoft software were affected in more than 150 countries with a purloined N.S.A.-designed exploit that let hackers encrypt files and demand a fee to restore access to them, paid in bitcoin. The total haul was pretty insignificant (a mere $80,000), an especially low figure given the fact that between 200,000 and 300,000 machines were hit.
It should come as no surprise that the second wave attack is nastier, more widespread and harder to stop. Kaspersky Labs reported that about 2,000 users had been hit so far.
Word of a new and far more virulent ransomware attack started to circulate at around 8 am on June 27. The attack used the same N.S.A cookbook approach, and also resembled a 2016 attack called Petya. WannaCry predominantly hit Asia and Europe. The N.S.A.-developed hacking tools, including Eternal Blue, used in both attacks were leaked by a hacking collective known as Shadow Brokers.
Unlike the attack in May, GoldenEye, or whatever you want to call it, hit very big targets in several nations, including Australia, Germany, Italy, Poland, Russia, Ukraine, and the United States.
Affected entities include Danish shipping company Maersk, the decommissioned Chernobyl nuclear power plant, a Russian oil company called Rosneft, an energy company in Kiev. In the United States, both the international law firm DLA Piper and big pharma Merck were hit.
The most important difference: GoldenEye is better, with perhaps the most significant improvement being one that many cyber security experts predicted: It has no kill switch.
No doubt you’re wondering who is behind it. And it doesn’t matter. You need to put the focus on yourself. Look in the mirror. It’s time to be more careful.
Interestingly, with an estimated $9,000 in ransom paid so far, perhaps the most notable difference is that people aren’t regaining access to their files this time around, because the email address that victims were given to conduct the transaction has been blocked by German authorities. As a result, the hackers can’t see who paid, and victims have no way to contact the bad guys. Translation for those trying to get their stuff back: Ciao, baby! You’re out of luck.
More significant than any financial damage incurred should be the fact that two broad-spectrum, global attacks have been successfully launched.
The WannaCry attack heralded a very visible manifestation of something we in the cyber security community have been warning against for nearly a decade: Cyber-geddon. There is no way to know what that may look like. Maybe there will be an attack on our power grid. It could be world banking systems. Whatever it is, we’re seeing evidence that crippling attacks are an increasingly possible outcome of our culture of chronic, pervasive cyber-insecurity.
You’ve heard me say it before, but never has it been more true: the sky really is falling. You can’t afford to put off security solutions.
When news of the WannaCry attack broke, Shadow Brokers, the cyber collective that made the exploit possible, said they might create a sort of “Hack of the Month” club for a subscription fee. Whether or not they did that, here we are seven weeks later with the latest delivery of cyber pandemonium.
Our greatest fears are happening in real time.
There’s still a lot we don’t know, and may never find out. There could be one attacker or there could have been an army of them. GoldenEye, or NotPetya, could have been a state-sponsored event or it could have more like a boiler room selling penny stocks–a horde of skilled-to-laggard hackers working for a vig.
The tool used–at least one of them–was made available on the dark web. According to Avast Threat Labs, “its creators made the malware available as “ransomware as a service”–which, as the New York Times noted, was a play on the Silicon Valley practice of delivering software digitally. The business model: Every time the exploit resulted in a ransom payment, the creators would get a cut of the profits.
So, as predicted, the hacking community once again has evolved. They now have complex models for the distribution of effective malware as well as profit sharing. It’s basically a criminal version of multi-level marketing. Think: Amway, Herbalife, Mary Kay.
The exploit uses more than one vector to infect, and it is more system-pervasive than its progenitor, but what matters is that it relies on a prevalent situation: The patch Microsoft made available has not been universally installed. As you probably know, the bigger the bureaucracy, the slower the process. And of course, there is another situation that makes attacks like these–post patch distribution–still work: Many updates need to be done one machine at a time.
It is time to invest in security as much as you would have to pay if you get got. While this varies depending on the size of your business and the type of data you collect and store, the Ponemon Institute’s latest Cost of Breach report found that the price tag of a data compromise is around 3.62 million dollars. Take a breath. Now get to work figuring out how to make your enterprise safe.
And since this is a Yogi Berra “Déjà vu all over again” moment, here are some basics I sketched out after the WannaCry attack that can help make you more secure while you work on the big boy pants version of your cyber security plan.
When you are trying to find something online or use an app, those update notices can be like a mosquito overly interested in you, but the last thing you should ever do is swat those notices away. They are often the only thing standing between you and the bad guys out there who are forever looking for a way to exploit weaknesses in the security features that come standard with the devices you use on a daily basis.
Both Apple and PC now offer a way to protect the content stored on your hard drive, and it’s so easy there’s no reason not to use them. It’s called FileVault on Apple and BitLocker on PCs. It is easy to set up, and it renders everything on your machine unreadable by a hacker who gains access to it.
For less than $60, you can purchase an external hard drive large enough to store an immense amount of data. That’s where you want to keep your most sensitive personal information. The reason is simple. It is air gapped (not connected to the internet) most if not all of the time. There is no need to be online to backup your hard drive to an external drive. Extra points if you encrypt your data.
If you’re not using long and strong passwords, or you are still using the same password across multiple platforms and website, you need to read this. For those who get over that rather low bar, it’s time to improve your game. It used to be that people made cheat sheets with their passwords and stored them on an encrypted thumb drive. It’s no longer necessary. Password managers take away the risk associated with having your passwords written down where they can be found and used. You only need to remember one. As far as services go, there are many–all of them are better than older methods of managing passwords.
There are more spoof sites out there than you may realize, and they are there to do harm not good. Always look at the URL to be sure that you are on the site you intended to visit and not a clone — the clone will often have a very similar address, so look closely. For an additional layer of security you might want to consider downloading HTTPS Everywhere, a plug-in/add-on that works on Chrome and Firefox that enables HTTPS encryption automatically on sites that support it.
The number one way people get got is thoughtless clicking. Whether it is a bad website designed to plant malware on your device or phishing email that looks like it came from a friend, but is in reality from a cyber fiend, you must have a pause in place — and it has to be automatic — when it comes to clicking on anything that comes your way from “out there,” even or especially if it looks like a friend or family member sent it.
If you see a story about a data breach or a security compromise on a device you use, consider that an action item for your day. Just take a second to find out if you are affected and then take whatever precaution you can. The 40 minutes that average person spends on personal grooming is a good rule of thumb. Think of your cyber hygiene like a glance in the mirror.
Increasingly, two-factor authentication is available on the accounts we use daily, and it is essential that you set it up. It means that if a person hijacks one of your accounts, there isn’t much damage they can do without also having possession to your mobile phone or access to you email account. It’s an easy measure anyone can take to improve personal cybersecurity.
In my book “Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves” I go into greater detail about the various ways your information can be got, and what you can do to protect it. The main lesson there: practice what I call “The Three Ms.”
Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t overshare on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and consider freezing your credit.
Check your credit report religiously, keep track of your credit score, review major accounts daily if possible. (You can check two of your credit scores for free every two weeks on Credit.com.) If you prefer a more laid-back approach, sign up for free transaction alerts from financial services institutions and credit card companies or purchase a sophisticated credit and identity monitoring program.
Make sure you get on top of any incursion into your identity quickly and/or enroll in a program where professionals help you navigate and resolve identity compromises — oftentimes available for free or at minimal cost through insurance companies, financial services institutions and HR departments.