Updated at 1:40 p.m. PST with additional details on which computers WannaCry infected, and new tools to remove the ransomware without paying.
One of the worst ransomware cases ever began spreading across the world last Friday morning with an apt, depressing name: WannaCry. This malicious software, which has infected more than 300,000 Windows computers in more than 150 countries, spreads like an highly aggressive stomach flu, leaping from one unpatched Windows computer to the next, and without the need for a human hand to help it along.
Despite its nefarious origins at the National Security Agency, where the Windows vulnerability that WannaCry exploits to infect computers was discovered, the ransomware underscores the woeful state of computer security in institutions that form the lifeblood of modern society: hospitals, power plants, oil companies, and financial firms.
Make no mistake, WannaCry continues to be a serious problem even though its initial damage has been contained. After initially crippling England’s National Health Service network of hospitals and Spanish mobile provider Telefonica, WannaCry leaped to the rest of Europe, including German railway operator Deutsch-Bahn and French car manufacturer Renault. It hit Asia, where it infected computers mostly in China, Indonesia, and Japan.
The ransomware’s spread was dramatically slowed, thanks to the quick thinking of 22-year-old British computer security expert Marcus Hutchins, who discovered a killswitch (or a part of the ransomware’s code that acted like one), which stopped WannaCry from hitting even more targets early on. Although the move largely kept it out of U.S. and Canadian machines, global shipper FedEx still saw its computers infected.
“This outbreak could have been prevented.”—Matthew Hickey, co-founder and director, Hacker House
Once a computer has been hit by WannaCry, which is known by a host of similar names including WCrypt, WCry, and WanaCrypt0r, it searches for 176 different file types, appends .WCRY to each file it finds, and locks them until you pay between $300 and $600 to unlock your data.
Less clear is who is in WannaCry’s crosshairs, Caleb Barlow, vice president of threat intelligence at IBM Security, wrote in a blog post. “We know how the malware propagated—through a Microsoft Windows vulnerability—but how was patient zero infected in each of these companies? And why are we not seeing a flood of consumer infections?”
Research from Kaspersky Lab indicates that the majority of those infected were running Windows 7 and Windows Server 2008 R2, both older systems.
Of course, if you installed the patch that Microsoft made available in late March, WannaCry wouldn’t have been able to come near your computer. New software tools developed after the ransomware went global might allow some WannaCry victims to unlock their computers without have to pay the ransom, but the damage is widespread.
Fewer consumers than ever are running unpatched Windows computers, in large part because Windows—like Apple’s Macs and iPhones, and Google’s Androids—automatically updates with the latest security patches. But organizations running critical infrastructure, from power plants to hospitals, often hold off on system updates. They can be expensive, and can actually hurt people, if improperly implemented.
Therein lies the paradox of WannaCry’s impact, says Matthew Hickey, the co-founder and director of Hacker House, a London-based security company that was hired by Sky News to analyze the NHS computer security systems in November.
READ MORE ON ON RANSOMWARE
How to avoid ransomware—or remove it
Ransomware is ‘blood in the water’ for hacker extortionists
Why ransomware increasingly targets the little guys
Despite new risks, experts still recommend using antivirus software
“This outbreak could have been prevented,” Hickey told The Parallax. “Unfortunately, an organization like the NHS, with its dependency on legacy equipment, as well as SCADA systems, is powered by workstations running an antiquated operating system—they can’t always apply the patch.”
From national security to health care, the unpatched state of these mission-critical computers is what left them exposed to WannaCry. While this particular ransomware appears to be an unfocused attack, just to see how far it could get, what happens when an attacker uses an exploit that hasn’t been patched—or is too difficult to patch?
That’s not an irrational question. The Shadow Brokers, the hacker group that exposed the Windows vulnerability used in WannaCry, plans to start a subscription service for malicious hackers, companies, and governments to access vulnerabilities and exploits it claims to have stolen from the NSA.
While many organizations, including Microsoft, are decrying the NSA stockpiling of previously unknown vulnerabilities, and chains of exploits that can take advantage of them, the United States government is hardly the only country that does this. Even if the NSA stops collecting exploit chains like some people collect Pokemon, what’s going to stop agencies in Russia, China, Israel, England, Iran, or any other country from doing the same?
The benefit of making the computers, networks, and systems that critical infrastructure relies on safer is that it stops more than just the latest rogue government exploit, says Beau Woods, the deputy director of the Cyber Statecraft Initiative at the Atlantic Council. It raises the level of security across the board.
“On my home desktop, it’s much easier to update,” he says. “Critical infrastructure is vulnerable and prone.” Woods would know, as he used to work as a cybersecurity analyst at a hospital in the Atlanta area. Operators have confirmed that some U.S. critical infrastructure beyond hospitals have been infected by WannaCry.
The challenge, Woods adds, is that critical-infrastructure systems are complex and heterogeneous. Most hospitals, for example, have at least three levels of computer systems, Woods says.
“Sometimes the hospital doesn’t know [a medical device] is running on Windows.”—Beau Woods, deputy director, Cyber Statecraft Initiative at the Atlantic Council
Clinical workstations monitoring 20 or more beds and patients at a time, such as those nurses use, are “very easy” to update, he says. Before patching systems running specialized workstations such as machines that create electrocardiograms or test for certain diseases, you “have to be sure” the update isn’t going to break anything.
Other hospital systems simply can’t be updated until the manufacturer approves of the patch. And in many cases, patches need to be downloaded and installed by a hospital IT administrator or manufacturer technician.
Medical devices such as intravenous infusion pumps, CAT scanners, and MRIs are the most difficult to update. Even if the systems run Windows, their patches may come only once a quarter or once a year from the manufacturer.
“Sometimes the hospital doesn’t know it’s running on Windows,” Woods says. “And if you don’t even know it’s running Windows, and you don’t know it’s exposed, you can’t patch it.”
Challenging, of course, does not mean impossible. And security, of course, stretches far beyond software patches.
“You need to architect an environment with a network firewall, network sensors, and end-point security,” Hickey says. Different parts of the network that don’t need to talk to each other should have communication turned off so that ransomware like WannaCry can’t jump across the network as easily as it did.
Woods advises that organizations involved in critical infrastructure also demand a software “bill of materials” so that they can more easily identify their systems’ components and potential vulnerabilities.
“A software bill of materials means a quick database lookup can help, in 6 seconds, find where you’re vulnerable,” he says. “The cost of upgrade can be quite high to switch, but the cost can be quite high not to switch.”