New cyber attack, same lessons
There was a huge flaw in the latest global cyber-attack, thus making it less damaging that was first feared. The WannaCry ransomware was very effective at attacking and locking thousands of computer files.
May 19, 2017
There was a huge flaw in the latest global cyber-attack, thus making it less damaging that was first feared. The WannaCry ransomware was very effective at attacking and locking thousands of computer files. But the authors made some basic mistakes, and their blackmail attempt was largely futile. The episode is a reminder, though, of the need to follow basic IT security procedures. – By Stephen Evans
Europol estimates that 200,000 computers in 150 countries were affected by WannaCry after it was first detected on Friday 12 May 2017. Despite this reach, security experts are puzzled that this ransomware didn’t cause more problems. “It appears that the authors are good at writing code, but not so good at devising a money-making strategy,” commented Jornt van der Wiel, a Security Researcher at Kaspersky Lab Benelux.
He thinks the main mistake was to have directed this malware attack at large organisations. While many are often vulnerable, they are generally able to repair damage relatively quickly. WannaCry works when a malware program is downloaded from a spam email, releasing a worm that quickly inflects PCs on a network, or even connected over the internet. This enabled the infection to travel fast within large organisations, but few smaller companies were affected.
Large firms generally have comprehensive, up-to-date back-ups, so that infected PCs could be wiped clean, and data reinstalled within a few hours. Disruption to work was minimal. Thus there was little incentive for firms with well-resourced IT departments to pay a ransom to unlock frozen files. “Normally ransomware is directed at small and medium sized businesses, because for them the cost of recovering the situation is more than the ransom demanded by the hacker,” explained Mr van der Wiel.
Small operations most at risk
He contrasted WannaCry with last year’s Wildfire ransomware attack. Although it only infected about 5,800 PCs (3% of the number reached by WannaCry) Wildfire resulted in up to €90,000-worth of bitcoin being paid to the hackers. This was because most victims were small organisations who felt paying the blackmailers was the easier option. However, the authors of WannaCry appear to have received little recompense for their criminal actions.
Moreover, Mr van der Wiel found bugs in the WannaCry program, meaning that many victims would have been unable to pay the ransom even if they had wanted to. Nevertheless, some victims did hand over bitcoins, but they were frequently dismayed that the hackers refused to provide the code to unlock files. News of this complete lack of faith quickly made it onto Twitter and forums, thus undermining further the hackers’ already limited business model.
So if this attack was in some respects laughably poor, it puts into focus the risk of being exposed to a hacker that takes a more professional approach. “This episode did not teach us much more about the state of the game, but it reminds IT teams of the need to keep up-to-date with basic security procedures,” Mr van der Wiel said.
Two basic rules
Rule number one is to make sure there are regular, comprehensive back ups. Rule number two is to always install the latest security software and patches without delay. This attack came from a vulnerability in Windows. Even though Microsoft no longer provides systematic maintenance for older versions of its operating system, it did exceptionally release a fix against WannaCry for all legacy systems in March.
That said, patching an entire network is a much more complicated business than updating a home computer. Often this requires key systems to be taken temporarily out of operation, and sometimes the upgrade can affect how programs run. Nevertheless, with a phased implementation, disruption can be kept to a minimum as essential upgrades are made.