Earlier the week I was interviewed by the local ABC Affiliate. The next day, my team pulled together roughly 40 Red Sky Alliance members for a —largely on my request to better understand and make sense of all of the noise in the press.
Yesterday, I picked up flowers at a local shop, when one of the owners approached. She'd seen me on WMUR and wanted to tell me that she'd also experienced a WannaCry incident. This was the third such mention by someone who'd been infected. None of the three had full backups. All three told me that because 'they' (meaning the press, largely because of circular reporting) had instructed victims to not pay the ransom. I handed them a business card and told them to call me Monday.
I have a few thoughts.
1. Don't pay? Be careful. Large companies, and those smaller companies who are prepared for such an event might be fine not paying the ransom. What's 'prepared' mean? It means that you can completely restore lost data from tested backups. In these cases, none of the three had complete backups. They will soon. Each lost far more revenue than they would have if they'd have just paid the ransom.
2. Make your own decisions. The government doesn't run your business. The press only reports what others tell them. Many times those opinions are based on something reported by others —often times coming directly from the government. In this case the government urges people to not pay the ransom. The US does not negotiate with
3. Who did this? I'm not sure anyone has any real evidence. One report compared WannaCry with Lazarus, but in our work, we found only six lines of code in common —largely machine generated; and our opinion, not a good indicator. We discounted it. We do however have theories… we rarely look at attribution at the country level (i.e.: Russia, China, N. Korea). I prefer to look for individuals. In this case, I think the story will unfold. My team, and our Red Sky members, are watching to see if this is a test. My bet? There'll be more.
WannaCry encrypted over 200,000 computers. Last heard, the attackers earned slightly over $75,000 US. Not a bad payday if you're sitting in someones garage punching a keyboard. Not so good if it's a country attempting to steal money (N. Korea?).
The bigger lesson? I have two. First, small business owners listen to the government, but in this case, the government (and repeated by the press) didn't give adequate guidance to small businesses. In fact, Here's what the US-CERT offered as guidance: