Earlier in May, a ransomware program best known as WannaCry began making headlines worldwide. The reach it had was vast; affecting large organizations and small alike. It left many asking questions as to why and how such a piece of software could be created, take root and hold valuable, private data for ransom. In its aftermath, if one thing is clear, this won’t be the last time we see an attack like this.
Like many breaking stories this year, it started with a steady stream of leaks. A group of hackers known as the Shadow Brokers began leaking highly classified NSA hacking tools to the internet that they had reportedly stolen back in 2013. Apart from these tools, part of the leaks confirmed the existence of a previously undisclosed exploit found in multiple versions of Windows operating systems that the NSA had appropriated but had remained silent on.
This raises important moral questions we have to ask our selves in the wake of WannaCry. Did the NSA have a responsibility to report the flaw to Microsoft? The U.K.’s NHS systems were down for hours, leaving many waiting for vital medical procedures such as surgeries and x-rays. They knew that this exploit had been stolen from them dating back to at least three years prior. Many feel it was in everyone’s best interest to notify the proper channels (especially once they knew they had lost control of it) but the NSA felt differently. Well after the fact, they continued to use this exploit to their advantage on cyber operations until they no longer couldn’t. The NSA’s role in this story will be a matter of continued debate for the foreseeable future.
It’s important to note also that while the Shadow Brokers leaked the exploit that WannaCry’s back-bone was built on, they were most likely not the architects of the ransomware. Currently, our #1 suspect for building WannaCry is North Korea, according to multiple security firms.
The good news in all of this, though, is that Microsoft reacted very quickly to shore up the exploit. Not only did they fix the issue in every modern version of Windows but made the commendable decision to patch Windows XP, which they dropped support for back in early 2014. So, if this exploit has been known publicly for months and Microsoft released a patch to fix this issue, what exactly happened?
Bad Decisions Were Made
Every single company or organization affected by WannaCry can fall into two categories:
- Didn’t Upgrade: Their IT Department neglected to update to the newest patch, despite its ‘Critical Update’ rating.
- They be Pirates: Their organization’s backbone was built on pirated software and were unable to apply the patch.
The only common theme in these two categories is the human error factor. In addition to these two categories, someone on the “inside”, probably an employee, had to open an email or executable file that would install the virus to susceptible systems. In IT security lingo, this type of virus is called a “worm” because it not only infects the parent system, it seeks out (or “tunnels” through) and looks for other systems on the host network on which to replicate itself.
In just a short amount of time, an entire company could be locked out of their network and computers. In order to gain access back, the organization would have to make a Bitcoin payment to the hackers (hence the term “ransomware”). It’s estimated that only around $70,000+ in Bitcoin were paid out to the creators. While a generous sum of money to most, this is good news because it pales in comparison to the billions of dollars in damage it caused. Causing so much destruction and affecting so many lives for such a little payout means that future cyber-criminals may think twice when weighing the risk factor.
The bad news is that all indications show that this may have been a pet project to the perpetrator(s) and had little interest in financial gain. In a lot of the assessments made in the aftermath, the code just doesn’t show much in terms of sophistication, which is terrifying in and of itself considering how wide spread it was. There’s more than a couple of indicators to this theory, but here are two key ones:
- Three Bitcoin addresses were hard-coded into the ransomware whereas we would expect to see those addresses possibly generated dynamically so they’re harder to track. Then, they would funnel into more specific end-point addresses that the hackers control.
- The achilles heel to the software is notable in that it was dependent on the registration of an unlikely, obscure domain name. A teenage hacker saw the domain in question in a line of code and upon registering the domain name, for $10.69, crippled the ransomware world-wide.
Collectively, this means this was, possibly, just a trial run and next time could be a completely different scenario. It’s certainly a proof-of-concept if nothing else.
One thing remains clear after the dust has settled: we must make better decisions and do our best to prepare for these kinds of disasters. In a lot of ways, we can take notes from government agencies like FEMA and the CDC by being prepared for when the unthinkable strikes.
- Backup everything. Running regular backups can help mitigate damage. Being able to roll back to the day before or even last week is better than having access to nothing at all.
- Pay attention for updates. Enabling auto-updates may not be for everyone but those that don’t, have to be vigilant and check for updates regularly.
- Exercise caution when opening emails and attachments. Every company affected by Ransomware has probably had an employee that made this mistake. Make sure you know who the email is from before opening anything.
- Quarantine infected systems. If you suspect that a virus has infected your system, it may already be too late for the network but you can possibly mitigate its spread by unplugging the ethernet cable or disconnecting from your network’s WiFi.
You don’t necessarily have to train every employee to be an expert but it’s best practice to give your organization an idea of what to do to avoid the fallout of ransomware like WannaCry in the future. Otherwise, next time we probably won’t be so lucky.