In the largest ransomware attack ever, the WannaCry (or WannaCrypt or Wana Decryptor) malware has spread to 150 countries in a few days, freezing computer systems from FedEx in the US to phone companies in Spain and Russia. In Britain, National Health Service (NHS) hospitals had to turn away patients from emergency rooms.
WannaCry infects systems through a security hole in the Windows Server Message Block (SMB) service used for sharing files and printers in a local network. Two months before the global attack exploded, Microsoft pushed out a security patch to fix the vulnerability in SMB.
But the Microsoft patch did not cover old software such as Windows XP (at least not until 24 hours into the crisis when Microsoft did offer a security update for old operating systems). In Britain (and probably many other countries), there’s plenty of old Windows in service. Look at this story from 2016: NHS Hospitals Are Running Thousands of Computers on Unsupported Windows XP.
Whether it was failure to patch or update to a modern operating system or install anti-virus software or properly provide for back up, someone somewhere in the world evidently failed to make a persuasive case in financial terms for investment in ransomware defense, opening many doors for WannaCry.
FAIR (that’s Factor Analysis of Information Risk), the model that powers RiskLens, translates a scary risk like ransomware into an event you can scope for how it might impact your business. It's a tool to see a range of potential losses, and play with scenarios—like the malware doesn’t make it off workstations (not so expensive) or does spread widely through shared drives (much more expensive)—all quantified with hard numbers to facilitate spending decisions.
In other words, FAIR points the way to:
- Assess the right controls for ransomware defense
- Act on those findings
- Don't over-react or under-react to the potential threat
To see what we're talking about, look at this case study:
Then watch this webinar…
…to see how RiskLens analysts go step by step from defining the threat to gathering company data, to determining the potential magnitude of a ransomware event to calculating the effect of anti-malware defenses to putting it all together in an aggregated, company-wide exposure to loss.