Howard: From Montreal, I’m joined by Terry Cutler. Good afternoon.
Let’s start with Anti-Ransomware Day. This began in 2020 as an education initiative by Kaspersky and the Interpol police co-operative. It was sparked by the global spread three years earlier of the WannaCry strain of ransomware. A lot has changed in ransomware since then: Gangs are now targeting companies and governments instead of home computers, gangs are running double extortion strategies by first stealing and then encrypting data to put extra pressure on victim firms, they’re running live hands-on attacks and they’re finding better ways of evading IT defences.
This week firewall manufacturer SonicWall estimated that there were 623,000 ransomware attempts last year on its customers alone. Terry, we’ve talked a lot about ransomware before. Is there anything new about what IT leaders should be doing to lower the risk of being victimized by ransomware?
Terry Cutler: Ransomware has come a long way. I remember seeing a hands-on attack happening at one of our new clients where they had software running on one of their computers called OTR, which stands for Off The Record. Attackers were logging into the system and they were working with the victim company’s tech support to launch commands and map drives into the system and then launch ransomware attacks manually. It’s very scary to know that there’s an actual hands-on attacker in your environment and not just some automated script. And what we’re seeing is that a lot of customers are still having a hard time with their patch management, especially around this one patch called the MS-17010 vulnerability which is known also as EternalBlue.
This is the one that caused the WannaCry infection. And it’s very difficult sometimes to phase that out because you want to turn off SMB [Windows Server Message Block] version 1 and sometimes there are some old systems that still rely on it. So it’s not very easy to just turn it off. Whenever we do a penetration test we love to get our hands on that exploit if it’s available. So when we do our vulnerability assessment on a client’s system and we see machines that are missing that patch, once we’ve exploited it we have full control over that system. We actually get system-level access where we can pull out all of the usernames and passwords, and also possibly decrypt their passwords if they’re weak and we can also make a pass-the-hash attack, where we take hashed information and pass it off to another server and log in as an administrator or as system-level service without ever knowing the password. So it’s very important organizations run at least a vulnerability assessment. The problem right now is IT is not doing a great job with patch management.