Emergency services: How the channel is helping its ransomware casualties

How has the channel responded to what has been widely labelled the biggest ransomware attack ever?

With the true scale of Friday's massive ransomware attack still not known, and future attacks expected over the coming days, the channel has sprung into action to protect the unharmed and tend to the wounded.

What first surfaced as technical problems for a handful of NHS Trusts in the UK on Friday afternoon has escalated to a cyber epidemic affecting an estimated 200,000 victims in 150 countries, according to the most recent figures from EU police body Europol.

Over the weekend, Microsoft released a statement confirming speculation that the ransomware attack exploited a Windows vulnerability for which it released a patch in March, but warned that the threat still exists where the patch hasn't been used - triggering a race against time to have all systems prepared in case of further attacks.

News of the attack first broke on Friday lunchtime, but it was late afternoon before reports started emerging in the mainstream press - by which time reseller giant Softcat had scheduled an NHS-only conference call to assess the damage and offer support to healthcare institutions. Softcat's response is headed by cybersecurity lead Adam Louca and the initial call had over 120 participants, with further calls taking place over the weekend and today.

Speaking to CRN today, Louca revealed what the reseller has been telling its customers, both those that have been compromised and those that haven't.

"For the ones who've been affected, you've already had the incident take place so the focus has to be on ensuring you're limiting the scope of the breach," he said.

"If it has already entered your network, taking the clients that have been comprised offline as soon as possible is one of the most important things to limit the exposure.

"Once they've done that, focus on applying patches so that the rest of the machines on the network that haven't been compromised are up to date and no longer vulnerable. Then focus on recovery, hopefully from the good backups that are in place."

Not having the appropriate backup or disaster recovery in place, Louca explained, has led to some organisations having to rip out the hard drives of every computer and purchase new ones, at great expense.

"Once you've worked out whether you can restore from a backup [or not], ultimately your last step is to roll back," he said.

"We are aware of organisations that have taken those steps - some of them even rolling out their whole estate again, therefore replacing the hard drive in every computer - which is obviously a massive task. Teams have been deployed to do that over the weekend."

Still a threat

Microsoft announced last week that in response to the attack it had released a patch for operating systems that it no longer supported, one of these being Windows XP, which Louca said is indicative of the true scale of the attack.

He emphasised the importance of people not becoming complacent despite the fact that a "kill switch" has been discovered, with a further two variants of the ransomware being detected since Friday.

He also warned IT teams to ignore reports which claim the ransomware is distributed via email, claiming these are wide of the mark and have since been retracted from the various sources.

"For those who haven't been attacked, the big piece of advice that we're giving out is patching," he said.

"Get that Windows patch on all machines. It's amazing that Microsoft has actually released a patch for Windows XP and Windows Server 2003, so the fact that Microsoft has gone against its own support policy to help everyone out shows the extent of the importance of this attack."

"[The ransomware is] being delivered over the network via SMB port 445, so if you can't update with the patch, make sure you lock that port down to everyone else because that will really help."

Attack on incumbent vendors reignited

The scale of the ransomware attack has reignited the argument over whether the incumbent security vendors are not capable of keeping up with the rate at which the cyber landscape is changing.

Carl Gottlieb, founder of security reseller Cognition, said that customers need to ignore the advice of IT specialists who are telling them to "get back to basics", claiming the basics aren't good enough any more.

He said that none of the customers Cognition supports with next-generation end-point protection have reported the ransomware affecting their networks.

"What you'll have seen in the press is a lot of experts saying 'do the basics, do the basics'," he said.

"No one is saying 'do the basics right'. If you think about everyone saying 'I've got anti-virus', well according to Sophos 80 per cent of the NHS was protected by Sophos, so they did the basics. How effective was it?"

He explained that there will be IT teams within organisations up and down the country who know they need better protection, but are unable to obtain adequate funding from their boards.

He said these organisations, with the help of their channel partners, should use this example to hammer home to boards the importance of next-generation security.

"Don't fear the ambulance chaser," he said. "There's a lot of that going on with people saying 'now's the right time to change it', and they're right.

"If you're going to get a business case for funding for a better product, you're not going to get a better time than now.

"End users should use that emotion on their board and say 'I've been wanting this for a year, now you need to look at it'. Already this morning we've had multiple customers say 'we want to kick off this product again', so it does work. Embrace the ambulance chaser!"

Sean Remnant, chief strategy officer at security VAD Ignition, said the amount of updates released by vendors with legacy end-point protection products on Friday demonstrates how they struggle to keep up with emerging threats.

"I'm guessing that nearly all victims would have had some sort of legacy anti-virus solution and it has not worked," he said.

"It means we as an industry need to think about the approach of those solutions and look at a different way of doing things. On Friday I looked at all the legacy AV vendors and they were all releasing updates after the problem had happened; they were all reactive rather than preventative, which is a massive problem."

A topic that always stokes debate about ransomware is whether it is easier to pay the ransom, in the hope that the cybercriminal is true to their word and decrypts all the data.

In this particular case, the general consensus seems to be that the perpetrators have no intention of decrypting the data, but Remnant said that if organisations have a good backup in place then this is not a dilemma they need to worry about.

"That's hotly debated and it depends what's at stake," he said. "If they've got good backups they can restore their data, but if they haven't - and they've got sensitive data that's encrypted - then I guess they have a choice to make.

"It would be interesting to know the government's point of view on this, but I would like to think that they've got good backups and they'll be busy running around reimaging machines at a considerably higher cost than it would have been to invest in updating the operating systems or the anti-virus solutions they've got."

Jigsaw NHS

In the wake of the ransomware attack the NHS has come under intense scrutiny for both not applying the Windows patch released by Microsoft, and running unsupported, older operating systems.

However, Dan Bailey, director at Sophos and Barracuda partner Altinet, said it would be wrong to assume that updating the NHS' IT systems is a simple task.

"I was speaking to a couple of friends who work at Softcat and they were working a fair bit of the weekend selling a lot of hard drives to the NHS," he said. "They were basically cutting out all the hard drives because they were corrupted and putting new ones in.

"The NHS is a strange one because it's just so vast. It's a jigsaw with some very old pieces and some very new pieces, so it's not really surprising that it's highest profile in terms of keeping legacy systems and not upgrading when they should, but it's an unbelievably difficult task."

Bailey understands that a number of NHS organisations have spent the weekend recovering data from old storage boxes and installing it on the new hard drives.

"From what I've heard, in the NHS they have very large hardware boxes which are basically data dumps," he said.

"They're going to rip out the hard drives that have been encrypted and put new hard drives in, then access that data, probably from tape.

"That process - certainly with the amount of data that the NHS has - is very time consuming and tape obviously can be very unreliable. It can also be easily corrupted and damaged."