Improving Cybersecurity In The Aftermath Of The World’s Largest Ransomware Attack

Lane Leskela

On Friday, May 12 – just prior to the start of SAPPHIRE NOW – the world experienced the most extensive ransomware attack to date from a source linked to North Korea. Known as “WannaCry,” the ransomware worm that infected computers in as many as 150 countries appears to have been released by a hacking organization known as the Lazarus Group. By Saturday, May 13, the worm was reported to have infected more than 230,000 computers belonging to Britain’s National Health Service (NHS), Spain’s Telefónica, FedEx, Deutsche Bahn, and hundreds of other organizations across the globe.

WannaCry leverages an exploit known as EternalBlue – designed for use by the U.S. National Security Agency (NSA) – that the hacker group identified as The Shadow Brokers made public on April 14, 2017. Associated with North Korea, the Lazarus Group is also believed to have been behind the well-documented hack of Sony Pictures in November 2014 and to have successfully removed US$81 million from the central bank of Bangladesh in 2016. The ransom demanded to unlock encrypted hard drives in the WannaCry attack was relatively low at $300 to $600 per device (to be paid in Bitcoin).

Shortly after the attack began, a Web security researcher based in the United Kingdom that blogs under the name “MalwareTech” inadvertently discovered an effective kill switch by registering an unregistered domain name he found in the WannaCry code. MalwareTech pointed the newly registered domain to a sinkhole – a server that collects and analyzes malware traffic. This action greatly slowed the spread of the infection, effectively halting the outbreak by Monday, May 15. However, newer versions of the WannaCry code have since been detected that lack the kill-switch feature. Security researchers have also found ways to recover data from some of the infected devices.

WannaCry presents something new for cybersecurity experts

This latest global attack includes some surprises for cybersecurity experts who have noted that, as known state actors, the hackers at Lazarus Group appear to have turned to common monetary-induced cybercrime. The undifferentiated, global scale of the WannaCry attack – which exploited known vulnerabilities in older versions of Microsoft Windows – did not fit the profile of previous motives and targets identified with this group.

In fact, hackers affiliated with governments generally conduct espionage, steal intellectual property, attempt to shut down specific political organizations, and take money from non-commercial banks. Operators at Lazarus are known for their patient preparation and precision in striking specific targets. But the WannaCry attack pattern matched the characteristics of an organized cybercrime unit.

nature of cyber attacks

Protect your organization from cybercrime

To provide some measure of protection for customers who don’t wanna cry every time there is a significant or even low-level cyberattack on their systems and data, solutions are available that help detect and prevent unwanted intrusions from hackers of all shapes and sizes.

These solutions allow you to perform real-time analysis and correlation with the vast quantity of log data generated by systems running both SAP and non-SAP software. They help fight cybercrime, insider attacks, and data breaches, and enhance data security and protection (of intellectual property, sensitive data, and the organization’s reputation), detecting and providing countermeasures for:

  • Software vulnerabilities (Security Notes)
  • Critical authorization assignments
  • User manipulations/morphing
  • Changes to standard users
  • Brute force attacks
  • Suspicious logins
  • Failed logins
  • Unusual communication and download patterns (users, technical users, systems)
  • Security configuration changes
  • Cross-landscape communication
  • Access to critical resources
  • Information disclosure
  • Data manipulation
  • Debugging
  • Denial of service (DoS)
  • Web security
  • Cross-site request forgery (CSRF) token attacks
  • SPNego replay attacks

Learn more

Find out more about SAP’s powerful GRC and security solutions portfolio, focused on threat definition, identification, analysis, and countermeasures. 

Follow SAP Finance online: @SAPFinance (Twitter) | LinkedIn | FacebookYouTube


Lane Leskela

About Lane Leskela

Lane Leskela, global business development director, Finance and Risk, for SAP, is an accomplished enterprise software leader with years of experience in customer advisory, marketing, market research, and business development. He is an expert in risk and compliance management software functions, solution road maps, implementation strategy, and channel partner management.