The recent ransomware worm in the WannaCrypt or WannaCry (Wcry) malware infected more than 200,000 systems across 150 countries. The virus targeted out of date computing systems not unlike those that can be found in an industrial control system (ICS). While WannaCry impacted banks, healthcare providers and other non-industrial entities this time, next time the enterprise ICS could be the target. And, there will be a next time.

What WannaCry Did

The WannaCry ransomware attack encrypts all the files of an entry computer and then spreads laterally through an organization’s entire network. Once infected, the user/victim is told that their files are locked, but can be restored. The ransom is a payment of $300 in Bitcoin per affected system to get the decryption key.

How It Was Done

Taking advantage of a previously discovered vulnerability in Windows that was addressed in ETERNALBLUE SMB exploit (MS17-010), WannaCry targeted users and enterprises that delayed the deployment of the patch. The vulnerability combined with a self-replicating payload allowed the ransomware to spread from one vulnerable machine to another vulnerable machine through a variety of techniques. It did this without requiring an operator/user to open an e-mail, click on a link or take any other action.

Just the Beginning

While most experts are surprised at the amateurish approach used by the creators of WannaCry, which only earned them $55,000 from what has been called the worst digital disaster in years, the threat of improved efforts by the same perpetrators and other bad actors should prompt all enterprises, especially those with an ICS linked to their network, to reinforce their internet accessible systems with appropriate security measures. The second part of this blog will provide further insight and guidance on how to implement the trust elements into any organization’s network.