At SecBI, we’ve closely watched the story unfold and have written a detailed technical analysis of the event- see the complete technical analysis here
Obviously, I wouldn’t want to be in the shoes of anyone who saw the screen saying, “Your files are encrypted, and you have 24 hours to pay.” It must have hurt, and I wish those hit quick remediation and minimum downtime and damage.
But we, as a society were lucky.
Ransomware announces to its victims that it is active, and then it is either pay up or use a good backup.
Using similar techniques of spreading malware, much more damage could have been done: Proprietary information, personal identity information, credit information, etc. could have been stolen or tampered with. We also could have seen damage to infrastructure systems, including power plants, transportation, and more.
These types of attacks can cause orders of magnitude more financial, strategic and personal damage than ransomware like WannaCry, but unlike ransomware, these attacks are hidden and stealthy. They can go undetected for weeks and months, causing slow and persistent damage.
Just as an example – instead of encrypting files, cybercriminals could exfiltrate customer data and extort the attacked organization with the threat, “Pay up or we’ll sell your data to the highest bidder on the darknet.” The impact of such an attack could amount to millions of dollars in direct and indirect damage.
This is why I say we were “lucky” this time.
The exploits utilized in this attack were part of a bank of exploits allegedly stolen from the arsenal of the NSA , which are now available to cybercriminals and other organizations. The exploits that have not yet been exposed can be used (or are already being used) by attackers to compromise networks and carry out different missions in an extremely stealthy way.
Even if we keep our systems patched and up to date, there are still unknown vulnerabilities waiting to be exploited, so organizations cannot merely rely on security controls and traditional detection systems. Sophisticated attacks with tremendous damage potential will communicate with external servers to carry out their mission. Cybersecurity analysts and IR teams need to proactively search their networks for indicators of compromise, scouring the data and trying to detect indicators of malicious activity. In other words, they need to go threat hunting.
Gilad Peleg, SecBI CEO