Last Friday here in Europe, we saw over 50,000 companies and over 100 countries hit by the WannaCry ransomware attack. In Germany, digital display boards at Deutsche Bahn train stations were inoperable. In Spain, internal computers were down at telecommunications provider Telefonica.
In the UK, the National Health Service (NHS) was hit, with staff unable to access patient records, some phones down and operations canceled. The attack was halted when cybersecurity experts MalwareTech found and inadvertently activated a “kill switch” in the malicious software, although its repercussions are set to continue as people go back to work on Monday.
I spoke to a number of leading security experts to find out more.
#1: How did this attack happen?
Friday’s attacks fall under the category of ransomware, in that malware encrypts data on a PC and users received a note demanding $300 in Bitcoin to have their access to their data restored. Paul Kurtz, founder, and CEO of TruSTAR and former White House cybersecurity adviser noted that the intelligence exchange platform the company runs had seen ransomware IoC reporting significantly pick up momentum in recent months.
It appears that WannaCry ransomware leveraged a Windows vulnerability that became apparent in April when a cache of hacking tools was leaked on the Internet. Security researchers believe the hacking tools came from the USA, including a product called EternalBlue that makes hijacking older Windows systems easy.
It specifically targets the Server Message Block (SMB) protocol in Windows, which is used for file-sharing purposes. Microsoft has already patched the vulnerability, but only for newer Windows systems. Older ones, such as Windows Server 2003, are no longer supported, but still widely used among businesses, including hospitals who are looking to cut costs on IT infrastructure.
Kurtz noted that old software, along with an increase in commoditized malware such as Philadelphia, exacerbated the problem:
“Five years ago, when an (incident) would come out it would be one, two or ten enterprises. But now we have more commoditized malware, which means that just by sending a document to people that looks like a very much legitimate document you click on it, you’re in trouble and you have ransomware on your computer. And so from a user’s point of view, it’s very hard to protect against it, especially a document that looks legitimate. You can train lots of people but (the benefits of training) can fade away.”
#2: Do people just pay the ransom?
Much focus has been on the impact of the attack on the UK’s NHS, but it’s not the first time that a hospital has been hit by such an attack. In 2016, California’s Hollywood Presbyterian Medical Center was hit by a ransomware attack that meant their networks were offline for over a week, including CT scans, documentation, lab work, and pharmacy needs.
The hospital ultimately decided to pay a random, and in a statement, President and CEO of Hollywood Presbyterian Allen Stefanek stated: “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
#3: Could future IoT creators be liable?
While this attack wasn’t specifically attacking hardware like connected DVRs or cameras, it could raise the issue of embedding IoT in connected health products where an attack may compromise a drug dosage or ultimately impact a life. This is a question that came out of the big DDoS Mirai bot attack last year, as Travis Farral, Director of Security Strategy at threat intelligence company Anomali discussed with me:
“Some manufacturers are pumping out these very inexpensive and sort of cheaply made products that have very little thought to security in them, should they not be liable for the damage done that those devices are perpetrating?”
It’s possible to require that you don’t use hardcoded passwords on your device. This could be a minimum standard and that would probably help, given some of the botnets have been built up on systems that had hard headed passwords that really could be changed. But closing that door doesn’t mean they don’t then go find other methods to accomplish the same thing. But I don’t know how effective that minimum standard really would be?
I think it’s incumbent upon the people that are implementing these things and but also especially in the manufacturers to think about the fact that the person who is going to use it is not necessarily the security expert. If they could at least do most of the heavy lifting ahead of time and try to think ahead and try to protect the device much as possible. I think that that goes a long way.”
#4: Can technology stop attacks in the future?
“When will something be much smarter than me and make me unemployed? Until that happens this is not going to stop,” says Adam Dean, a security specialist at GreyCastle Security.
“So yes, there is stuff being developed and being you know there’s some AI software and hardware that’s being used,” he adds. “But in terms of something major happening, the problem is how the internet works and the internet needs to be rebuilt in a way that I would surround these robots rather than the robots surrounding the internet and because the internet is very particular in how it works and to be able to detect malicious traffic vs legitimate traffic, that’s very difficult to do.”
#5: What can we expect next?
Clearly, the use of ransomware is not going away anytime soon. While Friday’s attack appears to be at least temporarily halted, it could take a number of those affected quite some time to bounce back and be fully operational. We also don’t know the real impact on those in the health system, as Adam Dean points out:
“With the amount of hospitals that have been affected and a number of people that are in those hospitals, I would not be surprised if we see a death come out of this ransomware attack.”