Yes, we should use supported operating systems and applications. Yes, we should install security updates. But that is not always possible nor necessary – there will be many Windows XP computers running for quite some time if used for applications that need it (and many industrial applications like that exist). Many security experts went for the safe option telling us not to click on suspicious emails (whatever “suspicious” means), and install antivirus software.
Some interesting links for details:
- About messing up “custom service” – Check Point blog
- A Wikipedia page – WannaCry ransomware attack
- One of many – what you need to know – FourSys blog
- No infections in Canada – The Globe and Mail
However, it appears, according to IBM Security, that the Wannacry malware didn’t arrive via emails as they haven’t seen a single instance of it. We now know that the malware spreads via a vulnerability in Microsoft’s file sharing mechanism (SMB). This mechanism doesn’t work outside local networks and we are still not sure how the “patient 0” in each of the affected organizations got infected.
Main headlines in the UK were about the National Health Service (NHS) as tens of hospitals got either infected their core information systems or switched their internal networks and IT off completely as a precaution. As a result, hospitals couldn’t treat patients where computers are involved (like X-ray, MRI, and so on). We could come up with some wise words around isolating critical computers from the internet, setup firewalls properly, only allow data to be pushed out of these systems, … all that to eliminate remote online attacks.
Another aspect that comes to mind here is whether health trusts (i.e., hospitals) should be responsible for their IT security, or whether NHS should have its own national Computer Emergency Response Team (CERT), enforce security recommendations, and centralize expertise. I know of many companies with small thousand of employees (a size of a hospital), who have just a handful of IT support personnel. Clearly, sending warnings to these small IT support teams is not enough if you really want to make sure the computer infrastructure is up to scratch.
There are some interesting aspects around who was targetted. Victims were in Russia, as well as in the US. There don’t seem to be any reports of home users to be affected. I believe it relates to the mechanism used to spread the malware. The malware’s design is good for spreading within a company, but it can’t jump from one company to another, or from my computer to my neighbour’s. The next question then is – who compiled a list of targets and how those targets were attacked.
Talking about the design, the ransomware part of the software seems to be really badly implemented. So far, I didn’t see any story, which would mention someone’s computer being decrypted – although a few hundred people are likely to have paid the ransom. The decryption mechanism is hard to use and it’s not clear how to obtain the correct decryption key – here I just repeat what I heard elsewhere. It is unusual for enterprise ransomware software to demand $10,000 per computer. If you, as a hacker, want to get your money, you must make sure that whoever pays will get their data back or else your business model probably collapses, and collapses pretty quickly.
Some say that this is an eye-opening attack. I don’t agree and there are several reasons why.
- The total number of infected computers is relatively small – a few hundred thousands. It means that most of us will read newspaper headlines and forget about it in a couple of weeks’ time.
- Whoever was targetted will think that lightning never strikes the same place twice.
- Although it definitely happened and caused certain damage, no one can guarantee that the next attack will use the same mechanism and vulnerabilities. It means that if you are likely to need a large investment to mitigate future attacks like that, the return on investment is poor.
My point though is this. We can’t prevent these attacks. They will keep happening. Yes, we should invest reasonable resources in prevention but we also must assume that no protection is perfect. As a matter of fact, I don’t mind being attacked – I remember first computer viruses, which were more like jokes and easy to get rid of. I do mind though the damage and this damage can be limited. If I know what to do; if my data is backed up; if I can quickly localize the attack and isolate it from healthy systems.
I really liked one interview with a GP doctor who said that they lost calendars with appointments so they just treated whoever turned up. He also added that he remembered doing it like that before computers.