Don't Draw the Wrong Conclusions from the WannaCry Ransomware Outbreak
"Treat the underlying culture that made this possible, not the symptoms."
On Friday the world was rocked by the largest malware outbreak in some time. It spread quickly, and to the casual observer apparently purposefully, targeting high profile companies and government agencies. But the idea that this was an attack against our infrastructure, and the suggestion that this was a terrorist act, would be the wrong conclusion to draw from the outbreak.
Malware doesn't normally spread this quickly, so the rapid propagation of the outbreak looks intentional. It looked like a directed attack. It wasn't. There were ransomware outbreaks that ranged all over, from Telefonica in Spain, to universities in China and Italy. From the Russian Interior Ministry to Deutsche Bahn in Germany. It appeared in elevators, building lobbies, and malls around the world.
We've all become far too comfortable with the idea that malware is spread via email. That just not opening suspicious emails is enough to protect us. However while the initial infection vector for last week's attack might well have been an email—although there's no real evidence of that at the moment—that's almost irrelevant now. Except for the painful, and almost certainly pointless, process of tracking down who was behind the outbreak, patient zero doesn't matter. Because the reason that the ransomware spread so quickly is that this was an SMB network worm. Once an initial infection occurred it no longer needed human help to propagate.
The worm makes use of a vulnerability called ETERNALBLUE which was publically released last month by the hacker group known as The Shadow Brokers. This, along with several other vulnerabilities in the release, had already been patched by Microsoft the previous month. The vulnerability the worm used to wreak this much damage had been closed for almost two months before last week's attacks, that is, so long as you run regular updates or you weren't using out of date platforms, like Windows XP.
At least in the United Kingdom the highest profile victim of the ransomware was the National Health Service, a total of 48 NHS trusts were hit by the outbreak. The worm spread through the NHS because chronic underfunding of IT meant that security updates hadn't been applied and, like other government agencies, they still had a large number of unpatched and unpatchable Windows XP machines. This despite the special deal between the UK government and Microsoft for extended support for Windows XP having come to an end more than two years before.
The spread of worm was stopped, more-or-less accidentally, by what's called sinkholing. Before attempting to propagate the worm checks to see if it can connect to a specific website, if it can, it stops. If it can't, it continues to spread. Unfortunately for the authors of the worm they didn't register the domain hardcoded into their malware, possibly as a method to detect whether the malware was being analysed in a sandbox which would have responded to any network request as a matter of course. However when one security researcher noticed it, he did it for them. It halted the spread of the worm. While it didn't stop propagation of the malware entirely, as a few ISPs and anti-virus tools are now blocking DNS resolution and traffic to the sinkhole domain as suspicious, it stopped the outbreak. Giving everyone time to do something more than react to events.
It's important that the wrong lessons aren't drawn from the outbreak. Governments have a tendency to react to events like this by passing additional legislation, because they need to be seen to be doing something. That isn't the right reaction. Additional legislation isn't needed. This is not an event that should lead, inevitably, to yet more government surveillance legislation to protect us against terrorists.
It's not the idea that people attacking our national infrastructure should be regarded as terrorists worries me, it is that the view that this is an attack on national infrastructure. The widespread nature of the outbreak implies that this wasn't a targeted terrorist action, it was a criminal one. This wasn't a state level actor, and the propagation of the worm wasn't intentional driven by an intelligent actions. It was random, and based on the way networks were interconnected and reliant on each other.
I have no sympathy for the people that set this in motion. But the damage done was due to a cultural failure of corporate and government IT departments to deploy available security patches. In some measure that failure was driven by a lack of resources, driven in turn by a lack of understanding of the importance of computer and embedded systems security by management and politicians alike.
Microsoft's response to the outbreak has been admirable, releasing patches for out-of-support products like those Windows XP machines still in use by the NHS and in other, perhaps more worrying, places.
However right now this event is being seen as an anomaly, a "unique case." It shouldn't be, because to the criminals that set it in motion—and the many others looking on—it will be seen as a massive success, and the next version of this won't be stopped by sinkholing.
Because we know, by looking at the bitcoin wallet receipts, that people are paying. A tiny fraction compared to the huge number of infected machines, but this was not a complicated attack. It didn't take great resources, or skill, and like online advertising only a small number of people need to click through to make it profitable.
One of the reasons that this attack was so high profile is that the outbreak was visible, the vulnerability it targeted almost inevitably led to long ignored systems that were in public places being infected. However, unlike the distributed denial of service attacks caused by Mirai at the tail end of last year, the backbone of the Internet stayed up. So you could watch the whole thing happen in real time on Twitter.
As a result, now the people writing the malware are reminded that email is not the only way that it can spread, we will see more of this sort of attack. This isn't a one off, this is a leading indicator, and it could have been worse. Because, instead of ransomware the same tools could have been used for the exfiltration of data, and instead of the screens on the platforms, it might have been the trains themselves.
We've already seen additional variants of the worm over the weekend—although the only functional one also had a kill switch—and while so far there aren't any working variants without a kill switch, it's just a matter of time.
The same cultural failures around security that led us to this seem to have us sleepwalking towards an Internet of Things that is vulnerable to similar attacks, to factories being shut down. We could have stopped last week's ransomware outbreak in its tracks by making sure everyone had installed security patches, and upgrading from a 15 year old operating system. But Internet of Things devices will regularly live out in the world for far longer than that, and right now we're making assumptions that mean that they too will not be regularly updated.
We're heading towards a world where this sort of outbreak can happen regularly, with far more serious consequences. Treat this as a wake up call, and then treat the underlying culture that made this possible, inevitable even, not the symptoms.