Rarely has cybersecurity become a dinner-table conversation — until WannaCry. With the widespread general news coverage of the ransomware that emerged early on Friday, May 12, Internet-based malware became real to tens of thousands of users in more than 150 countries. Seemingly every hour, we learn more about WannaCry (also known as WannaCrypt or WCry):
- It’s ransomware that asks for 0.1781 Bitcoins — about $300 – in exchange for unencrypting data.
- Sources say that WannaCry has netted only $70,000 to the attackers.
- It’s hard to verify that paying the ransom actually restores the data and removes the malware.
- The malware spreads across and between networks by exploiting flaws and leveraging a previously unknown backdoor.
- Affect computers are running older versions of Windows desktop/notebook and Windows Server.
- The flaw that allows WannaCry to work was disclosed when the National Security Agency was hacked in January 2017.
- Microsoft released a patch in its Security Bulletin MS17-010, published on March 14.
- There are no known reports of properly patched systems being infected by WannaCry.
As of Tuesday, May 16, there has been some media speculation that the attack originated in North Korea. However, at this point, the evidence is circumstantial, and could have been planted to throw investigators off the trail.
A couple of countries particularly hard-hit by WannaCry are China and Russia, in large part because software piracy is rampant there — and pirated copies of Windows can’t use the Windows Update functionality that Microsoft provides to push out software patches like the one in Security Bulletin MS17-010.
For its part, Microsoft is trying to be a good citizen; shortly after WannaCry appeared, the company created versions of the patch for obsolete versions of Windows that normally wouldn’t receive updates:
We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download.
The good news is that for the most part, WannaCry has been defanged; by registering a “kill switch” web domain coded into the malware, the software has been “told” to stop infesting new systems. While damaged systems remain damaged, the spread of the software is slowed, or potentially stopped outright. Of course, it should be relatively easy for bad actors to create a version of WannaCry without the “kill switch” control mechanism — in other words, which can’t be stopped using this simple method.
Implications of WannaCry
Since this malware appeared, there has been much murmuring about the need to tighten up software security. Unfortunately, the best avenues for fixing the problem are simply not feasible. For example, it would be great if an email’s sender must be positively identified by the original SMTP server, as well as scanned for malware or malicious links. Ain’t gonna happen.
Until WannaCry, the onus for staying safe from malware has been on the recipient of the malicious email, who can easily be tricked by spoofed “from” addresses that claim that the file called budget2017.xlsx was really sent from your CEO… instead of by a hacker halfway around the world who figured out who to contact and copied your company logo. Now we know better: Ransomware can propagate.
In the United States, one day before WannaCry hit, President Trump signed an Executive Order about cybersecurity. The timing was probably coincidental, but it’s a step in the right direction – leadership must come from the top, from government, not merely from innovative companies. They can solve symptoms, but only governments can solve the problem.
The Executive Order is mainly focused on protecting government and military computers, but it does include this section:
Cybersecurity for the Nation.
(a) Policy. To ensure that the internet remains valuable for future generations, it is the policy of the executive branch to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft. Further, the United States seeks to support the growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace.
Let’s hope that WannaCry is a wake-up call to everyone in the industry — including government agencies like US-CERT, software makers like Microsoft, and cybersecurity firms all over the world — that we need to get serious about malware and cybersecurity. It needs to be more than a trending topic on the news, on Facebook, and on Twitter. After all, the next malware attack may demand a lot more than 0.1781 Bitcoins.