WannaCry – Is the threat still out there?

It’s been 4 months since WannaCry caused misery by infecting over 230,000 computers across 150 countries in just one day.

The virulent ransomware affected well known organisations such as the NHS, Telefonica and FedEx and predictably made headlines around the world. Emergency patches were issued and within 4 days security experts reported that most organisations had applied these patches and the spread of infection had slowed.

Fast forward 4 months and WannaCry once again appears in the news. The South Korean electronics company LG found itself under the spotlight as ransomware identical to WannaCry was found on self-service kiosks in their service centres. The Korea Herald reported that the service centre network was shut down and did not get a chance to encrypt key files. Once security updates were applied to the affected kiosks they returned to normal operation.

Could it be that LG had not applied the security patches that were issued in the early days of WannaCry? It’s entirely feasible as many organisations still don’t understand how important it is to keep systems up to date and leave themselves vulnerable by failing to take the necessary precautions.

But it’s not only the lack of security awareness that is a concern.

Along with the recommendations to apply patches, one of the key messages was ‘do not pay the ransom’. Victims were told to pay between $300 and $600 if they wanted to get their systems back, but experts warned that paying the ransom wouldn’t necessarily lead to restored access.

It seems that not everyone heeded this message as more than £105,000 worth of bitcoins paid by WannaCry victims have been removed from their wallets since late July. It’s unlikely that the bitcoins will be turned into real currency as there is the potential for the funds to be traced. However, there is speculation that they may be used to pay for services on the dark web and these services are less likely to leave a trail.

This seems to be a realistic option since, as we mentioned in our September 2016 newsletter, up to 40% of stolen funds are believed to be subsequently invested into the improvement and modernisation of technology, techniques and schemes.

Failing to keep systems up to date is clearly a risky strategy, but paying a ransom to a cyber-criminal who could use it to fund more criminal activities and still not restore access is surely nothing less than irresponsible.