5 things we learned from WanaCryptor, the biggest ransomware attack in internet history
On Friday, some hospitals in the United Kingdom were struck with a peculiar attack: computers taken over, data inside encrypted and held ransom, all for the measly payment of just $300. The attack spread rapidly, hitting 150 countries and shutting down everything from telecoms in Spain to the Interior Ministry in Russia. And then, through a stroke of luck, the WanaCryptor attack was stalled in its tracks, a killswitch discovered by happenstance just in time for the weekend. What, exactly are we to make of the largest ransomware attack in history?
It was based on a leaked NSA “cyber-weapon”
The worm, known variously as WannaCry, WanaCryptor, and WannaCrypt, targets computers running Microsoft operating systems. It is built on an exploit named EternalBlue, one of many NSA “cyber-weapons” released by a group known as the Shadow Brokers, who first started leaking NSA tools late last summer.
It spread without exploiting user interactions
Unlike phishing or spearphishing attacks, where a computer is compromised because a user clicks a link in a targeted email, WannaCry works without exploiting any human error.
Kasperksey Lab, a well-known cybersecurity company, wrote in a richly detailed FAQ about the attack that “Perhaps the main reason why Wannacry was so successful is the fact that the EternalBlue exploit works over the Internet without requiring any user interaction.” Because it strikes over networks, it can still wreak havoc inside a local network even with the killswitch active, as the killswitch needs the internet to work.
The killswitch was a simple URL check
Before WannaCry spreads, it checks to see if it can connect to a specific domain. If the domain is registered and occupied, it’s done, and proceeds no further. If it fails to connect, then WannaCry spreads as it was designed to do, infecting machines and demanding ransom.
The killswitch was discovered by a young computer security researcher in the United Kingom, who registered the domain specified in the WannaCry programming, and then routed traffic to it to a sinkhole server, meant for trapping botnets. This security researcher wrote a great write-up of the experience of catching WannaCry, which is here.
For his trouble, the pseudonymous researcher then had his identity revealed by British tabloids. One reason to be pseudonymous is to make it easier to get security work done without becoming a specific target for the kind of people whose attacks he is trying to stop. That matters especially with WannaCry, because future versions of the ransomware (some of which may already be live and in the wild) may not include the killswitch, which will make them harder to stop.
It preyed upon un-patched computers
Microsoft released patches for the vulnerable operating systems that can prevent the present version of WannaCry from infecting patched computers. The first patch that protects against attacks like this was released in March, though not every user automatically downloads and installs all patches or software updates. Microsoft reactively released a patch for Windows XP, a 16-year-old operating system that is no longer officially supported, yet still used in many computers. (Microsoft also released patches for two other operating systems still only in “customer support,” Windows 8, and Windows Server 2003). In customer guidance released about the attack, Microsoft recommends automatically updating as a proactive measure.
Cisco’s Talos threat monitoring and protection team also recommends blocking TOR exit nodes so that WannaCry cannot spread into an organization through the routing anonymization tool. Beyond that, the Talos recommendations include industry best practices like only using operating systems that are actively supported and receive security updates, timely security patching, running anti-malware software, and especially, having a plan for disasters with data regularly backed up and stored in devices that are kept offline. The more redundant data stored where hackers can’t access it, the less compelling it is for people to pay ransom.
Preventing and recovering from this kind of attack is expensive and complicated
WannaCry worked because of a complex mishmash of circumstances. The availability of bitcoin as a way to pay ransoms to anonymous criminals certainly helped, as did the exploit developed by the NSA itself. Both took place in a context where people and organizations still use old software, and it’s easy for companies like Microsoft to shift blame onto the NSA for making the exploit and on users for not patching security.
“Technology is shipped so full of holes that a huge part of the industry is a massive crew of highly-trained professionals working flat out to plug all the leaks, writes cybersecurity commentator Stilgherrian. “Then, when customers inevitably slip and sink into in this torrent of faults, the vendors and cybersecurity professionals blame them for being unable to swim.”
Put more generously, the organizations that buy technology want to put it to use for its intended purpose, and often don’t have the budget or expertise to make sure that any given technology does its stated job and doesn’t have any security flaws. As we noted when WannaCry spread on Friday, security researchers found the NHS using outdated software back in November. Fixing that software isn’t just a matter of finding a new operating system, it’s finding and installing one that won’t break the existing system, then training everyone who needs to use it how to do so, and then hoping that the new software won’t become outdated. Constant security is expensive for everybody, but especially so for end-users. And when things go wrong, it can cost tens of millions of dollars, almost all shifted onto the back of the software buyers, and not the software makers.