WannaCry is ransomware that has spread quickly through phishing emails across over 100 countries and infecting an estimated 200,000 computers worldwide. WannaCry spreads itself across corporate networks by exploiting critical vulnerabilities in unpatched Windows machines – Microsoft has had patches available since March but many machines did not apply the update. This particular variant of ransomware encrypts all files that the machine has access to, including local and network files, and demands a $300 payment in untraceable bitcoins in order to release the files. With the number of computers infected, it is surprising that the total ransom collected is under $60k.
Many companies across the globe have felt the pain and loss of business because of this attack. Affected companies include Renault who shut down plants in France, Telefonica in Spain, and China National Petroleum Corporation who cut the network connection to service stations. It has endangered healthcare with 16 National Health Service (NHS) hospitals in the UK alone feeling the pain of the attack. More stories like these will emerge, as we get deeper into the analysis of the impact.
It’s interesting that the attack was executed with a built in failsafe that simply required someone in the world to spend $10.69 to register a domain name. It has been speculated that it was put in as a way for the creator to protect itself from being analyzed in a sandbox. Registering the domain name without an expected server made it appear like a sinkhole causing the ransomware to protect itself by shutting down. The easily found kill switch says that the attack was meant to be stopped at an early point or at least controlled. It makes me wonder if this was just a scouting mission to see how many computers are up to date with patches and to determine how successful a mass ransomware attack could be or it may have just been a way to protect itself.
The attack was so severe that Microsoft has taken the unprecedented steps to issue patches for end of life operating systems including Windows XP and 2003. With the number of desktops stilling running Windows XP, Microsoft is in the position to help stop the spread of future attacks by continuing to release security patches. If they fail to continue patching, the next attack may be worse by providing a stable of insecure launching points for the next attack.
Ben Franklin’s quote “an ounce of prevention is worth a pound of cure,” is as true today as it was in his day. Companies and individuals need to be more prepared to prevent attacks including taking hard to steps to restrict access, even when it is not the popular decision. We all should know by now the steps like OS patching, locking down machines, and restricting access to non-essential network resources are non-negotiable. At the same time, it can take some verbal jujitsu to convince a business unit that rather than prevent work getting done, it’s protecting their investments and ability to conduct business.
In most cases, and in this specific attack, the weakest links are the people themselves. Education will not stop all phishing attempts – I often shake my head after one of my users has clicked on an obvious phishing email – but good and frequent training can slow the tide. We need to continue to engage our end users and the public in general to be skeptical of each email that we receive. Why did I get this message? Does it look legitimate? Why are they approaching me in this manner? Human beings are our frontline in preventing attacks. The best intrusion detection and prevention technologies are necessary and will do a lot to prevent various attacks but they will all fail when there is an end user holding the door open for the attacker.