On the past weekend the headlines were coming thick and fast about the ransomware known as “WannaCry”, which had paralyzed computers around the globe – even impacting on critical infrastructure.
The malware exploited a long-known security gap in Windows, which the maker of the operating system, Microsoft, had already plugged in March. But as many computers had not yet been updated with the required patch or are running such old versions of Windows, that Microsoft no longer provides updates for them on a regular basis, the ransomware also known as “WannaCryptor”, “WannaCrypt”, “Wana Decrypt0r” or “WCry” spread like wildfire. The criminals demanded payment from high-profile victims such as the UK’s National Health Service (NHS), French car manufacturer Renault, Spanish carrier Telefónica and Deutsche Bahn, if “only” their destination display boards. However, the unknown originators of the attack have not been able to blackmail much money out of their victims so far.
Note: This bot is watching the 3 wallets hard-coded into #WannaCry ransomware. It tweets new payments as they occur, totals every two hours.
— actual ransom (@actual_ransom) 15. Mai 2017
The USA and Canada were spared much impact from the outbreak due to their time zones. By the time North American workers were starting up their computers last Friday, a 22 year-old British security researcher had already discovered and activated a kill switch for “WannaCry” more or less by chance – as soon as the malware found a certain URL connected, it falsely assumed itself to be in a security test environment (“sandbox”) and ceased to be active. Since Sunday, however, a new variant without this kill switch has already been circulating.
“WannaCry” spreads over computer networks, technically using an error in an older Microsoft incarnation of the SMB protocol (Server Message Block) for file, printing and other services in computer networks. Knowledge of this error had been stashed away by the US military secret service, the NSA, until late summer 2016 when the hacker collective Shadow Brokers cyber-burgled them, making off with a whole raft of spying tools and intending to use them for financial gain.
The attack was just a matter of time
One after another, the Shadow Brokers made the NSA tools available on the web. “Eternalblue“, which provides the basis for “WannaCry”, was made public on Good Friday of all days. From that point on, at least, it was really only a matter of time before a related attack would be sure to follow. Conspicuously, Microsoft had already called off the release of its monthly patch for February at short notice and then put out an unusual number of error-corrections in March.
Microsoft apparently rates the SMB security gap as being extremely serious. Otherwise, it would be tough to explain the software giant wasting little time on Saturday to take the unusual step of breaking ranks by also providing patches for Windows versions which are still widely used yet no longer supported, such as XP, Server 2003 or Windows 8.
On Sunday Microsoft‘s President and Chief Legal Officer Brad Smith then followed up with a very clearly worded statement by corporate standards. The basic tenor: the secret services of this world should in future please refrain from hoarding security gaps which are not known to the public (“Zero-Days”), in order to use them secretly for espionage or as cyber-weapons in the future.
From Smith’s point of view, Microsoft and its customers also bear at least some share of responsibility. Arne Schönbohm, President of the Bundesamt für Sicherheit in der Informationstechnik (Federal IS Agency), had earlier sung from the same hymn sheet. “The current attacks show how vulnerable our digitalized society is. This is a fresh wake-up call for companies to finally start taking IT security seriously and set up sustainable protective measures,” he wrote in a statement. “The latest weak point has been known for months and appropriate security updates are available. We urge all users to implement them without delay.”
Patch management – a tiresome topic
Schönbohm is surely taking an overly simple view of things, if he places the blame squarely on the users only. They are long-suffering and would rather take a bit more time to vet the patches provided by their software suppliers before rolling them out in their infrastructures. In an increasingly digitalized economy, a company can simply not afford to have internal applications or business processes failing because a patch displays unexpected side-effects – an eternal dilemma for enterprise IT.
“WannaCry” nevertheless makes it perfectly clear that one at least has to take immediate action to plug security holes in the software as soon as an attack has taken place and some kind of exploit code is available. Cyber criminals have long been able to ply their trade without needing hacking expertise to build their weapons. In the face of a growing amount of ransomware, it can’t be emphasized enough how crucial regular, up-to-date backups are – only then can one replace a computer which has been encrypted by malware without a large loss of data – and without having to cough up bitcoin ransom.
In general, a crucial paradigm shift can be observed in IT security – while the primary consideration used to be protecting systems and networks by shielding them from the outside, it is now regarded vital to discover ensuing attacks as quickly as possible and limit their impact (“Detect and Respond”). One example of this is Retarus’ innovative new product “Patient Zero Detection®”, which enables the retroactive discovery of malware that has already been delivered by means of e-mail. You can find out more about Patient Zero Detection® and Retarus’ comprehensive E-Mail Security services here or directly from your local Retarus representative.