The WannaCry ransomware attack (also known as Wana Decryptor, WanaCryptOr, or WNCRY (10)) started on 12th May 2017 and quickly spread to over 150 countries. Europol estimates suggest at least 200,000 computers were infected. Russia, Ukraine, India and Taiwan experienced the highest infection rate. However, Britain also faced serious complications when some National Health Service hospitals in England and Scotland were hit with the malware. As many as 70,000 devices were compromised, including computers, operating theatre equipment, blood storage refrigerators and MRI scanners, and some non-emergency patients were turned away.
Within a few hours, a security researcher had discovered a URL that seemed to act as a kill switch, preventing WannaCry from spreading to new files, and the infection rate slowed significantly. Experts theorise that the authors installed this device purposely to make it harder for security personnel to study the malware on a quarantined computer. Since the discovery, new versions of the ransomware have appeared without the safety switch, yet the infection rate remains slow. WannaCry relies on an outdated Microsoft vulnerability, so downloading the latest updates will make most systems secure.
A Closer Look at the Problem
WannaCry uses a network infection vector called ‘EternalBlue’ which exploits a vulnerability in Microsoft’s Server Message Block protocol. EternalBlue was publicised in April when a group of hackers known as the Shadow Brokers published a trove of data reportedly stolen from the US National Security Agency (NSA). By that time, Microsoft already offered a patch to fix the issue. Security update MS17–010 was released on 14th March 2017 as a critical update and was available for all supported operating systems. The day after WannaCry took off, Microsoft also released a patch for several unsupported operating systems including Windows XP and Windows 2003.
According to Kaspersky Lab, 98 percent of the computers infected with WannaCry were using Windows 7. Mainstream support for Windows 7 ended in January 2015. However, extended support, including security updates like MS17–010, continues through January 202.
The NHS hospitals were among a small minority of victims still using Windows XP, an operating system that has not received public security updates since 2014. A letter from the Cabinet Office suggests the government had gained temporary security help until 2015, while issuing a warning that the NHS needed to move away from Windows XP as soon as possible. However, as of 2016, it was reported that 90 percent of NHS hospitals had not been updated.
What to do if You’re Infected
WannaCry’s £230 ransom demand claims to double in three days with the data deleted in seven, but experts don’t recommend paying. Malware writers are criminals and there is no reason to expect they will keep their word; moreover, there haven’t been any reports of payment resulting in data recovery. People who have studied WannaCry say the coding is ‘sloppy’ and question whether a decryption method was even written into the ransomware. According to Mathew Hickey from the UK security firm Hacker House, decoding would have to be activated by a manual operator, yet the hackers have so far failed to respond to any contact requests. Professor Alan Woodward of the University of Surry believes Bitcoin sent as ransom is likely to remain uncollected, given all the attention the malware has attracted.
As a result of errors written into the malware, some researchers have reportedly been able to recover the private encryption key from infected computers. Quark Security has created an automated security tool to assist with this process, but there is no guarantee it will work in every case. Standard recommendation, as with any ransomware, is simply to recover the corrupted files from the most recent back-up.
Regardless of whether the files are recoverable, WannaCry will need to be removed or it will continue to encrypt any new files. The security site Bleeping Computer offers a tutorial and downloadable program called ‘Rkill’ to remove suspicious programs. This should be followed by a thorough anti-malware scan. If there are still issues, be sure to contact a security expert for assistance. Reputation Defender offers privacy services that will assess your vulnerability level and help protect against future ransomware attacks.
Who’s At Fault?
After the first wave of attacks, WannaCry infection has fallen and it seems unlikely to spike again. Nonetheless, the ransomware proved just how deadly a widespread attack could be. It also highlighted security issues that will continue to be a problem as more and more devices become internet connected.
Who’s to blame for what happened? Could it have been avoided? Microsoft was quick to call attention to the NSA and other national security organisations that ‘store vulnerabilities’ for intelligence gathering purposes rather than sharing them with the company involved so they can be fixed. Brad Smith, Microsoft’s chief legal officer, likened the recent data theft to “the US military having some of its Tomahawk missiles stolen” and said governments should treat it as a wake-up call.
Smith also pointed to organisations which fail to update regularly as part of the problem. However, not everyone agrees with this view of the situation. Dave Lee, BBC’s technology reporter for North America, thinks Microsoft has a responsibility to maintain security on out-of-date systems longer. While it may be a simple matter to update a single computer, redesigning a complex system like the NHS is costly and difficult. When it comes to public health, does Microsoft have a responsibility to provide free security in the interest of saving lives, or does it fall to the NHS to find funding for an IT overhaul every 5–10 years? Analysts will no doubt continue to debate these issues over the weeks and months to come.