As the aftershocks of last week’s big “WannaCry” cyberattack reverberate, it’s worth taking a moment to think about what it all means.
First, ransomware is a growing menace, and this may be the case that gets it global attention. The idea behind ransomware is simple: no one is willing to pay as much as you for your data. Instead of copying critical data and trying to sell it to others, ransomware authors will simply deny their target access until payment is made. Documents or medical records might not have much resale value, but if a hospital needs them to operate, suddenly they become very valuable. With data decryption usually priced in the hundreds of dollars, many organizations find it easier to pay and move on; the leading cybersecurity firm Trend Micro recently researched UK organizations who have received ransomware in the past two years and found that almost two-thirds of those it surveyed paid the ransom. Organizations that have paid include hospitals and police departments, as well as countless companies.
Second, what made the WannaCry ransomware so powerful is how quickly it spread. It took advantage of a vulnerability in a part of the Windows operating system known as Server Message Block—the same vulnerability that had been previously exploited by the United States National Security Agency and that was made public by an unknown group known as The Shadow Brokers. It appears that the WannaCry ransomware was often delivered by a social engineering email. Once it was opened, this vulnerability in Windows systems enabled the malicious code to spread quickly across an organization’s network, infecting not just one computer, but many.
Pieces of malicious code that employ this self-spreading technique are called “worms.” While the cybersecurity world has seen worms before—the Stuxnet attack carried out against the Iranian nuclear program is probably the most famous—WannaCry quickly became the most significant piece of “wormable” ransomware to exist. It probably won’t be the last.
Third, and perhaps more important: like the emperor’s new clothes, even this new-fangled ransomware isn’t as sophisticated as it’s cracked up to be. Most ransomware attacks can be prevented by good cybersecurity practices. In this case, the Server Message Block vulnerability in Windows that WannaCry exploited had been fixed by Microsoft before the details became public and before the WannaCry code was written. Anyone who applied the March security update to Windows didn’t have any trouble with WannaCry. Most fortunate of all, the authors of WannaCry seemed to make a fairly basic mistake that bought network defenders critical hours. When a security researcher—who remains anonymous and goes by the pseudonym MalwareTech—registered a domain name to which the malicious code was attempting to connect, he rendered the code inert. This likely spared thousands of people from having their data locked away.
There is a clear lesson for all of us from this incident: cybersecurity can be hard, complex, time-consuming, and expensive—but not impossible, especially against comparatively unsophisticated criminals. There is never a silver bullet solution, but there are a lot of small things that can go a long way. For organizations and individuals, chief among these is making sure that the software they run is kept up to date. Patching is often harder than it sounds, but it is a task that deserves significant attention by network defenders. In systems that aren’t easily patched—such as some medical devices—network defenders should take care to make sure those systems aren’t easily accessible. In an era of wormable ransomware, it’s too dangerous to have any one computer be an entry point to the entire network and a single point of failure. If that lesson wasn’t clear before, perhaps this past week will be a much-needed wake up call.
Featured image credit: Cyber Security by typographyimages. CC0 public domain via Pixabay.