Last month, on Friday, May 12, hundreds of businesses and government agencies around the world were rendered ineffective as a computer worm known as “Wannacry” slithered its way through numerous networks to infect tens of thousands of computers. As of May 18, the tally of the affected stands at more than 230,000 computers spanning 150 countries, with Russia, Ukraine, India and Taiwan being the hardest hit.
More worrisome is not just the ubiquity of this worm, but the effect it has had on government agencies, businesses and institutions. Britain’s National Health Service (NHS) hospitals were forced to cancel appointments and surgeries.1 French carmaker Renault took the precautionary measure of halting operations over the weekend. A large German transport business and a Spanish telecommunications firm were also affected. FedEx systems were penetrated. Chinese universities were in a state of disarray as students struggled to determine whether or not their research had been lost.
The overall impact will be quantified in delayed research, lost revenue and slower reaction times in the emergency services. Unfortunately, recent reporting has suggested that the original Wannacry worm is already being adapted to infect newer systems, which means – as with all things technology – that systems and networks a potentially still vulnerable.
What is Wannacry? It is a type of malware called a “worm.” A worm is a type of program which is self-propagating and is usually created and implemented with malicious intent. By exploiting a system vulnerability, a worm can, without permission, install and run itself on an infected computer. A worm is technically different than the more well-known computer “virus” in that a worm does not to attach itself to a host file on a computer. This means that a worm is a self-contained program that can replicate itself without user interaction. Because of its autonomous nature, it can also spread without any user interaction. Whereas a virus needs someone to open a document or an email attachment to infect a computer, a worm does not, making it a particularly nefarious piece of code.
What does it do? Wannacry is a worm, but it is also what’s known as “ransomware.” The replication portion of Wannacry is the method that allows the program to fulfill its purpose: encrypt a computer’s hard drive and proceed to demand a ransom (a refusal to pay results in all encrypted files being forever inaccessible).
A computer infected by Wannacry presents an unfortunate user with a screen that contains a rather amicable description of what has happened to their computer: “Oooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let’s start decrypting!”
The program then displays a countdown clock and a warning that when it reaches zero, everything stored on the hard drive will be lost. A user’s only option to recover his or her files is to pay the ransom which, according to reports, ranges from $300-$600 in bitcoin to a provided bitcoin address. Despite the efforts of the IT security community, there are currently no other means to decrypting an infected hard drive.
Why was it so successful? Wannacry was adapted from an exploit found in the recently released cache of National Security Agency (NSA) penetration tools. These tools are specifically adapted to exploit certain zero-day vulnerabilities, which are so new or unknown that not even the company who created the software knows about them. The NSA currently operates by searching for, hoarding and protecting its collection of zero-day exploits. The recent leak by the hacking group known as the Shadow Brokers – and the fallout that has resulted from Wannacry – has given credence to those in the IT community who argue that the hoarding of zero-day exploits can only have negative effects. This illustrates the dilemma faced by the agency as it is tasked with both defending and attacking computer systems. While hoarding vulnerabilities gives it an advantage over adversaries, it also means that if the NSA itself is hacked or is victim to a leak, then the agency itself becomes the primary source for disreputable actors.
What can be done to protect yourself? Regularly update your software. The affected computers were running old versions of Windows. So old that Microsoft had recently ceased patching those particular versions of software. However, the specific vulnerability that Wannacry exploited had in fact been known and patched by Microsoft. The reason that Wannacry was still able to propagate is that the victim computers had not simply installed the patch. Infected systems that had been auto updated would have otherwise been immune to Wannacry.
It is also imperative to run backups of your system and more specifically any files that you do not wish to lose. A user of an infected computer that had a backup would have been able to cut his or her losses by removing the encrypted disk, installing a new one and restoring the backup to it. There might be a little more time involved, but hard drives are much less expensive than the $300-$600 ransom fee. Regular backups are a powerful tool that can be utilized to protect a user from power failure, system and hard drive failure, as well as malicious software like Wannacry.
It is the nature of computer systems that they will never be invulnerable. There will always be bad actors looking to exploit vulnerabilities in the hundreds of millions of lines of code that make up the software, programs, and apps used by billions of people. As the internet of things continues to seep into every aspect of daily life, the need for proper cyber security education and training will only increase. Simple steps can prevent catastrophic incidents like those experienced across the world last month.