The WannaCry ransomware attack of May 12, 2017 infected 200,000 computers across 150 countries, and among other things, wrought havoc in hospitals across the UK, where it was first detected, as well as hitting major corporations around the world, impacting everything from German railways to Chinese ATMs.
WannaCry exploited a known Microsoft vulnerability for which there was a patch on Windows 10, but not for some of the older Windows OSes that companies continue to use. The reality is that many infections could have been avoided, but IT admins say testing and patching cycles take too long because of the genuine fear about applications being broken or brought down by the enforced changes.
This was the moment ransomware caught the world’s attention, and the attack should drive further initiatives for better, faster patching.
WannaCry is a wakeup call for the whole business community
WannaCry, aka WannaCrypt, WannaDecryptor 2.0, and various other names, probably used classic phishing to get into the first machines it contaminated. It then spread rapidly using EternalBlue and its one-to-many exploit capabilities. EternalBlue, which is thought to have been developed by the US National Security Agency (NSA), enables malware to spread to other computers within each environment, using a vulnerability in Microsoft’s Server Message Block (SMB) protocol to do so.
Microsoft had issued a Windows 10 patch for SMB in March, so anyone who had deployed it in the interim avoided WannaCry’s propagation. There was, however, no patch for operating systems Microsoft is no longer supporting, such as Windows XP or 2003, and for the thousands of devices still running these, there was no hope.
With computers across Britain’s National Health Service displaying ransom notes, appointments and operations were postponed because of the unavailability of patient data. Spanish carrier Telefonica, German railway Deutsche Bahn, FedEx, and a host of other organizations were also hit and forced to curtail their normal activities.
In the event, a security researcher found what turned out to be a kill switch in the ransomware, almost by accident saving the day, with the number of infections decreasing dramatically since the weekend. As of Monday May 15, the attackers had received some $48,000 in ransom, which was paid in bitcoins. Also, over the weekend, Microsoft issued a patch for the unsupported OSes.
WannaCry highlights the need for more effective threat protection and patch management regimes
The SMB vulnerability should have been patched before now, Microsoft should address vulnerabilities in its older OSes, and people shouldn’t click on untrusted links in emails.
Nevertheless, the world is an imperfect place. IT admins do advance with understandable caution when there is a major patch, fearing for in-house systems the patch may cause to fall over. Microsoft will try to wean customers off older operating systems so that it can move them to more advanced ones, reduce its overheads supporting vintage models, and maintain its revenue streams. And people will continue to click on bogus URLs.
Microsoft is to be lauded for its swift action in coming up with a patch for the older OSes, and it is to be hoped that this experience will provoke a rethink about support levels for what it may see as dinosaurs, but in practical terms are still far from extinct. It is difficult to see how some IT admins can be encouraged to patch more rapidly, given the potential turmoil such patches can cause, but most organizations manage to do enough to stay safe. The sobering experience of WannaCry must at least cause them to prioritize patching in a way that until now they have not.
Finally, the extent of the problems caused by the WannaCry ransomware worm and the ease with which its payload was delivered means that there will be other new variants coming along soon. These are likely to be stronger, more effective, and almost certainly won’t have the same kill switch.
Europe, Middle East & Africa team - +44 (0) 207 017 7700
Asia-Pacific team - +61 (0)3 960 16700
US team - +1 646 957 8878
Already an Ovum client? Login to the Knowledge Center now