The WannaCry cyber attack got lots of attention for its sheer magnitude. It reportedly affected 300,000 Windows PCs in 150 countries, and shut down major parts of the UK’s health system and German rail.
The fact that the malware used was stolen from the NSA and the potential involvement of North Korea also layered on elements of global intrigue.
To the people who deal with cyberattacks frequently, that level of attention is unique. As WYPR Midday host Tom Hall noted during a show that this reporter participated in on Friday, it earned the distinction of second biggest story of the week (behind the ugly saga of Trump and Comey).
In the cyber world, the tech behind the attack is getting attention. It’s a new take on an old crime.
Most people who are familiar with crime know about a ransom. Instead of a kidnapping, the criminals now use malware to encrypt files and make them inaccessible until people pay up. Rather than delivering the money at a certain time in a certain bag, the victims are ordered to pay in bitcoin, which is difficult to track.
While ransomware has been on the radar for the last couple of years (remember that MedStar Health attack last year?), the way the attack spread through networks was new. As Peter Dietrich of Columbia-based Anchor Technologies described it to us, the attack moves by worming its through a network, rather than spreading through email. In this case, it was able to exploit a vulnerability in Microsoft operating systems, mainly Windows 7, and it moved fast.
Dietrich said his company worked with a client following a similar attack recently. This attack represents “a newer generation of getting into the environment and worming through the environment,” he said.
Up until Friday’s deadline, there was lots of debate about whether to pay a ransom. But for businesses, the costs go beyond those payments. A system that’s hit with ransomware typically has to be completely rebuilt, Dietrich said. Then there’s the cost of the system being down and putting the company out of business. As was shown in the British healthcare system where the attack impacted surgeries, lives are literally on the line.
"Discerning the mundane from the important will be as difficult as it was with WannaCry."
There was warning. Microsoft released a patch in March that indicated potential danger. In retrospect, it may seem tempting to think the attack could have been prevented. Trouble is, many organizations didn’t update their systems.
Larger organizations may delay making the security fixes since it requires a series of tests and the right timing so as not to disrupt work.
“From an enterprise perspective it’s really complicated to be pushing out updates, so sometimes they’ll hold off on updates unless they feel it’s something super critical,” said Zuly Gonzalez, CEO of Light Point Security.
But even for the most knowledgeable people, there is lots to track.
“Unfortunately, the symbolic ‘warning light’ on the security dashboard was only one of thousands — culled out of millions of mixed mundane/important events — vying for SecOps attention,” Casey Corcoran, Vice President of Spark-based FourV Systems, said via email. “When the Shadow Brokers hacker group leaked the Windows SMB exploit, it became just one more ‘thing’ that went under in the din of warnings and alerts.”
Due to the success of this attack, many organizations will likely take necessary security steps, Gonzalez said. As a result, Gonzalez said it’s unlikely that groups will try to carry off a similar breach. But they will likely look for other ways to accomplish the same kind of scale. The question is whether the publicity will serve as a wake-up call to prepare for the future.
“We think we might be better prepared, because we will pay more attention to the warning signs. But reality is there will again be many signs, and discerning the mundane from the important will be as difficult as it was with WannaCry,” Corcoran said.
And the group behind the attack is emboldened: The Shadow Brokers are literally talking about pivoting to a subscription model.