WannaCry malware downs systems worldwide

May 15, 2017 // 10:59 a.m.

Tags: #insecurity #malware #nsa #ransomware #security #vulnerability #wannacry #wannacrypt #wanna-decryptor #wikileaks #windows #windows-xp #worm

Microsoft has issued emergency patches for its Windows operating systems, including OS-that-wouldn't-die Windows XP, in the wake of an ongoing malware infestation which is affecting thousands of systems across the globe including numerous NHS facilities in the UK.

The latest entry in the growing pantheon of so-called ransomware packages, which silently encrypt a user's files in the background before popping up with a demand for payment in order to release the decryption key, WannaCry - also known as WannaCrypt or Wanna Decryptor - is on the face of it nothing special. Like its predecessors, the malware spreads like a worm through unpatched vulnerabilities in the host operating system; it uses public-key cryptography to lock selected file types against being opened; it demands payment, which began at $300 per infection before a revised version upped the fee to $600, paid in Bitcoin in order to release the private key and decrypt the files.

Where WannaCry differs from its predecessors is in efficacy: attacking a flaw in Microsoft's Windows operating systems from Windows XP through to the latest Windows 10 - prior to a Windows 10 patch released in March, that is, which closed the hole - WannaCry has become one of the most successful malware strains in history, taking down thousands of systems from NHS computers still running Windows XP to government platforms which have not yet received the March patch.

As for where WannaCry's anonymous author - or authors - discovered the vulnerability, that one's clear: The flaw exploited by the system was discovered some considerable time ago by the US National Security Agency (NSA) but never disclosed to Microsoft for repair. When the NSA itself was attacked and its cache of vulnerabilities stolen and published, the flaw became public knowledge and, it seems, the basis for the WannaCry attack.

'The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States. That theft was publicly reported earlier this year. A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers,' explained Microsoft's president and chief legal officer Brad Smith in a blog post analysing the attack. 'While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.

'We take every single cyberattack on a Windows system seriously, and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident. This included a decision to take additional steps to assist users with older systems that are no longer supported.'

That assistance includes a reset of the clock on the long-running Windows XP. Semi-affectionately known as the operating system that just won't die, XP was originally scheduled to enter end-of-life (EOL) status in 2008 before receiving multiple stays of execution through to April 2014 - though even then it received a post-EOL patch for a security flaw and some of its embedded variants continue to receive updates. Now, three years since the last public update, Windows XP has again been patched to close the WannaCry vulnerability.

Smith was clear that his company holds the NSA responsible for the efficacy of WannaCry's infection vector. 'This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,' he claimed in the announcement. 'This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

'The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.'

During the weekend, it looks liked WannaCry had been defused when a security researcher discovered a domain in its code which had not been registered. Once registered, the domain acted as a kill-switch that prevented the malware's worm component from spreading further. Sadly, it didn't take long for the WannaCry author to modify the code and release an updated version which no longer listens to the kill-switch domain.

Those running Windows - or, realistically, any other operating system - are advised to ensure they are running the latest security patches available, have anti-malware software installed and activated, and have up-to-date backups which are stored offline, the latter being by far the best defence against ransomware attacks such as WannaCry and its predecessors.

QUICK COMMENT

View this in the forums

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU