The biggest global ransomware cyberattack on record has impacted over 130,000 individual computers across over 100 countries in just 48 hours. That figure is an estimate as of Saturday midnight May 13, and will certainly increase over the next few days as more victims are identified.
So What Exactly Happened?
Victims see a ransom demand on their screens, stating that their data has been encrypted. The criminals demand $300 in Bitcoin to unlock the data. This price increases to $600 within a few hours if the ransom is not paid. The attacks utilize malware – a worm called Wanna Decryptor (a.k.a. WannaCry). It infects the device of a user who has been tempted to open an email attachment and thereby unknowingly installs the virus. The malware encrypts the hard drive and searches for other potential target systems on the network to spread itself. Once inside an organization, it exploits a known vulnerability in the Windows OS that pertains to document sharing with other users on a network. Defense mechanisms to protect against harmful document sharing between trusted users within a network are usually less stringent. These loopholes combined to deliver the biggest ever ransomware attack in history.
A happy accident temporarily halted the spread of the infection when a UK security analyst discovered what amounts to a ‘stop button’ or so-called kill switch.
Who has been targeted?
The malware targets Windows systems that are not up to date or older versions of Windows that Microsoft no longer supports. For example, Windows XP was released in October 2001 and withdrawn from service, officially more than 12 years later in 2014. However, some organizations chose not to purchase a newer version of Windows and saved on the licensing costs only to risk security attacks like the latest ransomware incident. Other large organizations, such as the UK’s National Health Service paid Microsoft to continue supporting XP for them. However, the UK government decided to halt that spend in 2015, leaving the health care system vulnerable to the type of attack that occurred. The organization failed to access sensitive patient data, critical planned surgeries and procedures had to be cancelled, and hospitals had to shut down some units.
In general, government, university and health care networks using outdated Windows OS versions are likely to be hardest the hit.
What options do victims have?
There are only 3 options:
- Pay the ransom
- Restore the data from a recent backup – if one exists
- Live without the data
In any event, users should work to apply the recommended security patches immediately. It is inevitable that the criminals will change their attack mechanisms and remove the temporary kill-switch capability, and then there are likely to be a number of copycat attacks using the same vulnerability in different ways.
Is the NSA at fault for this?
Not entirely. The NSA apparently did discover the vulnerability some time ago. They then weaponized it for their own use by building software code that exploited the vulnerability. The hacker group known as TheShadowBrokers made public this code amongst some of the NSA’s digital espionage toolkit as part of their exposure of NSA hacking tools. Reports indicate that the hackers behind this week’s attack simply did a copy and paste of that code into their worm. Microsoft did in fact release a security patch to fix the vulnerability in March. However, not all users were aware of the vulnerability or the patch, chose to run potentially vulnerable systems instead. The debate continues as to whether the NSA should alert software vendors regarding vulnerabilities that they uncover, rather than keeping the knowledge to themselves for surveillance purposes.
What can we do to help protect against ransomware attacks?
The least you can do is to keep your software updated, at all times. The next level of defense is the human element – Internet users should never click on email attachments unless they are absolutely certain that the files are coming from genuine, legitimate and known senders. These measures alone will suffice to curtail majority of ransomware attacks coming your way.
The WannaCry worm will potentially reappear in different guises over the coming days and weeks. The best advice is to take action now to protect your devices.