On May the 12th the world was hit by a cyber-attack of unprecedented proportions. 2016 marked a huge up tick in the levels of ransomware and other cyber-crimes but the WannaCry ransomware attack was on an unprecedented scale.
The attack began on Friday the 12th of May and has so far infected more than 260,000 computers in 150 countries with the software demanding ransom payments in bitcoin in 28 languages. The attack hit many notable organizations, including Britain’s National Health Service, the FedEx, Deutsche Bahn as well as crippling public and private organizations across Russia and Asia.
What is WannaCry?
The WannaCry (also known as WannaCrypt, WanaCrypt0r 2.0 or Wanna Decryptor) is a ransomware computer worm that targets the Windows Operating system. It seems likely that, WannaCry was spread using phising emails. Once WannaCry gets access to the network it uses the Eternal Blue exploit and DoublePulsar backdoor developed by the NSA to spread through the network on to computers that have not installed recent security updates. Older operating systems, such as XP were particularly vulnerable.
Once WannaCry gained access to the system it acted like typical Ransomware. It presented the victim with a notification that their computer has been encrypted and in order to access their files they would need to pay either $300 in three days of $600 in six days.
The purpose of WannaCry is not entirely clear. The attack has generated comparatively few material gains for it’s perpetrators and its aim was indiscriminate. Which appears to rule out both political and financial motivations. Many observers have put the killswitch down to sloppy coding on the part of the attackers and left it at that. Perhaps the most compelling, and terrifying, theory is that this attack was a probe of our defenses. The attacker placed an easily found killswitch in to see how long it would take us to stop it so that they can target their attack for maximum damage.
There a possibility that WannaCry was developed by the North Korean supporting Lazarus Group who have been behind a number of other high profile attacks. However there is little direct evidence to pin the attack on them so it is difficult at this stage to figure out exactally who is behind the attacks. While the WannaCry virus shared much of the same code as previous Lazarus Group attacks it was far more indiscriminate, which does not fit with their previous methods.
What is the impact of the WannaCry attacks?
The attack caused chaos across the world, in particular it crippled the United Kingdom’s National Health Service (NHS) and affected a number of large private and public institutions across Russia and Asia. All in all Europol estimates that that around 200,000 computers were infected across 150 countries.
Despite the huge scale the attackers have not made much in the way of material gains. It is estimated that only around $60,000 has been paid to the attackers so far.
The attacks were stopped from spreading when a researcher, named MalwareTech, stumbled upon a killswitch hard coded into the malware. On a hunch, he registered a domain name for a DNS sinkhole that stopped the attack from spreading further. The ransomware would only encrypt a computer if it was unable to connect to this domain and thus the attack would not infect any more machines, although this didn’t help anybody already infected.
So, Who is to blame?
There is a lot of blame to go around here. This attack has highlighted inadequacies in our cyber-defences to a painfully obvious degree. In essence we were saved by a surprising killswitch and the actions of one security blogger. This might make a good plot for a TV show but it is hardly a comforting assessment of the state of the World’s Cyber-Security.
So, whose fault is this. Well, lets start with the National Security Agency. In April 2017 the “Shadow Brokers” stole a number of hacking tools from the NSA. One of these, EternalBlue, was key in facilitating Friday’s attacks. EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server message Block (SMB) Protocol. This allows it to execute code on a targeted computer. Edward Snowden and Microsoft have both blamed the NSA, accusing them of stockpiling weapons, comparing EternalBlue to a “tomahawk missile”. The argument is that if the NSA had made Microsoft aware of the vulnerability when they found it, rather than when it was stolen, this situation could have been avoided.
While the NSA is certainly at fault, Microsoft probably shouldn’t be so quick to point figures. The NSA was undoubtedly negligent but they did not create WannaCry. Rather the virus simply used their tools. Tools that exploit a vulnerability caused by Microsoft. While Microsoft, presumably acting on an NSA tip off, patched the exploit in March the virus still spread like wildfire.
The reason for this is down to the third party at fault. Us. When it comes to cyber-defence a single weak link can bring down an entire network and lets be honest, we’ve probably all been that weak link at least once in the past.
Windows may have rolled out an update but it is down to users to update it. In many cases there is a justified reason for not doing so. IT managers are wary of pushing forward updates as they can break complex IT systems in unforeseen ways and many companies only push forward updates every few months, meaning they wouldn’t have installed the patch yet. Many of us also just simply don’t update our systems out of laziness, or because we pirate the software and so don’t get regular updates.
On top of this, users with relatively low computer literacy are being asked to identify increasingly sophisticated attacks. The fact that you are relying on the same people who call IT when their computer is unplugged to be the first and last line of defense against ransom-ware is not exactly comforting.
So everybody is at fault, where do we go from here?
The WannaCry attacks have clearly unveiled some pretty major flaws in our cyber defenses. A combination of intelligence services stockpiling, rather than closing, exploits, Software producers not plugging those holes and users not acting on urgent updates and alerts have combined to form a perfect storm of vulnerabilities. Vulnerabilities that hackers were able to exploit.
The attack clearly demonstrates that we desperately need a collective security policy, but is a “Geneva Convention for Cyberspace” as called for by Brad Smith the right answer? It would outlaw cyber-attacks and oblige security agencies to inform software developers of any holes in their system. This would prevent criminals from using them to attack users. That said, it would also stop security services from using them, which they will view as a demand that they unilaterally disarm. We could very well tell them to comply, but whether they will is another matter and given the track record of the intelligence services worldwide I would not hold my breath.
As we can’t rely on our intelligence services, the burden then falls on the software developers, users and cyber security companies. Cyber Security companies need to move towards data-sharing and accept that they can’t hide things from their competitors when information they have might well be in the public good. There are already positive examples that this is beginning to happen and the hope is that WannaCry will act as a much needed wake up call.
Despite the potential financial burden, software developers may be forced to accept that they have to keep providing security patches for older devices in order to plug holes that criminals can exploit. The other alternative would be to lock users out from using outdated Operating Systems but this move would likely just push people into pirated software.
This then brings us, to us, the users. The WannaCry attack was a far bigger threat to businesses than it was to individuals but the next attack might go the other way. IT managers and business owners need to come to terms with the fact that Cyber-security has to be taken seriously. Updates should be applied regularly and staff will need to be taught how to better identify suspicious emails and websites.
Ordinary users will have to get themselves into the habit of updating regularly. Either turn on automatic updates or put a reminder on your computer. There are a few things you can do to ensure that you are secure:
Make sure that any software you are using is still receiving security updates and if not then you might have to consider upgrading.
You should also stop using any pirated operating systems, they don’t receive updates and you don’t know if any malware came shipped with it. (If you can’t afford a new windows install, it could be worth looking at Linux, it’s free after-all)
Check incoming emails carefully, do not open attachments or links from anyone you do not trust and always double check the email address, phishing attacks often masquerade as official communication.
Take regular back-ups. This will not only protect you in case of unexpected computer failure but will also reduce the damage that an attack can cause you.
Under no circumstances should you pay the requested ransom. It will only further encourage attacks and there is no guarantee that your system will be unlocked again, you are relying on the goodwill of the same people who locked you out of your system. Do you really trust their word?
If the WannaCry attack has demonstrated anything it is that we all need to start taking our Cyber Security seriously. Governments, private companies and individuals all need to take their share of the blame and their share of the responsibility for ensuring this kind of attack never happens again.
If the theory that the WannaCry attack was a probe of our defenses was correct, then we will need to act fast. The next attack will not be so easy to stop and will probably cause even more damage.