“Do not pay!” UK authorities warn firms & organisations hit by ransomware attacks
With the UK still counting the cost of last weekend’s ransomware attacks, the vulnerability of civic authorities and businesses to cyber crimes could not be clearer. With crime authorities urging victims to remain vigilant and not to pay ransom demanded by cyber criminals, what are the key lessons to be learned from this incident?
While the UK’s public health service continues to recover from last weekend’s WannaCry ransomware attacks, businesses and organisations have been warned not to pay if the malware locks down their computer systems.
The software—which primarily spreads via email attachment—encrypts files on computers, demanding ransom in digital bitcoin for the safe return of the information.
WannaCry ransomware attacks wreaked havoc across 47 of the National Health Service trusts—with 7 of the organisations continuing to face serious issues, according to the BBC—resulting in the cancellation of operations and the shutdown of computer systems. The messages on affected NHS computers included instructions to send $300 or $600 to one of three bitcoin addresses.
With the UK’s National Crime Agency still not ruling out the possibility of further attacks, the organisation is urging all organisations affected by the malware not to pay the ransom.
Some media organisations have set up Twitter bots to monitor the three publicly accessible bitcoin accounts (wallets) that are hardcoded into the ransomware. Here is a typical example from Quartz Media, whose bot tweets new payments to the wallets as they occur.
The three bitcoin wallets tied to #WannaCry ransomware have received 233 payments totaling 38.06273688 BTC ($64,472.33 USD).
— actual ransom (@actual_ransom) May 16, 2017
Reuters reported as of Monday afternoon that, despite the magnitude of the ransomware attacks, the hackers had made only around $500,000. However, nothing had yet been withdrawn from the wallets, as law enforcement agencies monitor the accounts in a bid to track down the perpetrators.
The UK was but one jurisdiction affected by the ransomware attacks, albeit the most significant victim. It’s estimated that some 200,000 computers and systems across 150 territories have been affected.
It was also the action of a British cyber security researcher who put a halt to WannaCry’s initial spread, creating a crucial window of time in which IT professionals globally went into overdrive to secure their systems from attack.
6 Lessons from the WannaCry Ransomware Attacks
But the threat is far from over, and organisations throughout the UK, still counting the cost of the initial attack last weekend, have been warned to be vigilant for further attacks. Here are the main implications to consider as a result of the WannaCry cyber offensive.
1. The Containment Challenge
Cybercrime, malware, and ransomware attacks recognise no national boundaries. It’s believed that the malicious WannaCry software was stolen from the US National Security Agency (NSA). Business columnist Leonid Bershidsky said it was likely that the attack originated in Russia, but various security experts have said that the source of the ransomware is unknown.
Bershidsky wrote for Bloomberg that in 2016, “75pc of crypto ransomware—malware that encrypts files on the target machine to force its owner to pay a ransom in exchange for their decryption—originated from the Russian-speaking hacker underworld”.
What we do know is that the WannaCry ransomware was mainly spread via email attachments, and that it locked hundreds of thousands of computers across 150 countries, bringing many factories, hospitals, shops and schools to a halt.
The scale of the attack grew from an estimated 45,000 victim systems on Friday afternoon, to some 200,000 over the weekend, including the UK’s National Health Service, Renault factories in France, the German railroad system, Telefónica in Spain, as well as the Russian mobile operator MegaFon. Ireland appeared to have escaped the worst, with Minister of Communications, Denis Naughten, revealing there had been no further reported incidences of WannaCry beyond an “isolated case of an HSE-funded facility in Wexford on Saturday”.
2. Amateur Flaws & Rapid Revisions
Ransomware attacks and other malware threats can be defeated or thwarted, but it’s not the same as defeating an army. Regrouping is swift and in-the-round. What concerns commentators most about WannaCry is that it was relatively unsophisticated, and appears to have been motivated by nothing more than extortion. Its initial spread was halted due to the accidental discovery of a flaw that was later branded by commentators as “an amateur-hour performance by WannaCry’s authors”, according to Vox.com.
The British cyber security expert pseudonymously known as MalwareTech accidentally discovered on Friday that WannaCry was attempting to connect with a particular internet domain. MalwareTech registered this domain name, and the initial infection of new domains ceased almost immediately. The researcher had thwarted the malware’s ‘digital sandbox’ detection mechanism.
A digital sandbox is a virtual domain, located off the real Internet, where researchers study malware, and where most malware programs will automatically shut down to prevent any in-depth scrutiny. MalwareTech had registered the domain name in a bid to track WannaCry, but this actually caused copies of WannaCry to shut down across the real Internet.
However, this was only a temporary reprieve from the threat. By Sunday, new versions of the malware were circulating that were not vulnerable to this flaw in the original WannaCry program. The lesson here is clear: there is no room for complacency, at any level, when dealing with information of any kind on the Internet. Flaws can be fixed, and swiftly.
3. Questions for the Authorities
WikiLeaks founder Julian Assange and NSA whistleblower Edward Snowden have been scathing in recent times about security agencies hoarding hacking tools and cyber vulnerabilities for their own use, instead of sharing the information with companies such as Microsoft in the public interest.
Assange and Snowden were responding to the recent leaks of hacking tools from the NSA and the CIA, including the ‘Eternalblue’ code that enabled the authors of WannaCry to commandeer devices using pre-Windows 10 operating systems.
According to the Irish Independent this Monday, almost half of the world’s internet-connected computers (a whopping 48.5 percent) operate on Windows 7. Just 26 percent of computers run on the latest Microsoft operating system, while some 7 percent use the 16-year-old Windows XP system.
This leaves a massive swathe of users, public and private, vulnerable to ransomware attacks using software that has, in the first instance, been engineered by intelligence agencies.
4. Questions for Users: Update or Remain Vulnerable?
The true culprits in this attack are the authors of WannaCry. Microsoft has also found itself on the hook over issues stemming from Windows security, while, as pointed out, the intelligence agencies specifically in the US have justifiably come under scrutiny for hoarding information and codes that exploit the vulnerabilities of operating systems such as Windows, and failing to secure it properly.
NHS Hospitals in Britain—and medical organisations around the world—tend to use equipment and systems that is older, due to their expense. Consequently, some systems and devices, such as MRI scanning equipment, are designed to work with the particularly vulnerable (in this case) Windows XP operating system.
This leaves IT administrators in the NHS with a perplexing dilemma to resolve. If they do not upgrade equipment and systems, they will remain vulnerable to malware attacks. But if they do upgrade, it will require significant investment, and potential compatibility issues that may cost additional tens or hundreds of thousands of pounds to resolve.
This dilemma is very real for all organisations, particularly larger more corporate entities, running systems or devices running on pre-Windows 10 systems. Microsoft regards Windows XP as outmoded, and in 2014 discontinued free security updates, recommending users to upgrade to a newer OS. In March, following news of the cybertheft of hacking tool leaks from the NSA, Microsoft released an update to patch XP’s ‘Eternalblue’ vulnerability, and released a further security update last weekend to fix the XP flaw targeted by WannaCry.
However as we’ve seen above, users worldwide have been slow to migrate to more recent operating systems. Extended support contracts have been available for organisations continuing to use XP and other older operating systems, but, according to Vox.com it appears that few hospitals in Britain or other organisations using XP, have availed of this option.
The latest Windows OS installs security dates automatically, but many Windows computers in use either do not have automatic updates enabled, or are so old that Microsoft no longer provides security updates for them.
So, some of the most significant questions asked in the wake of WannaCry must be asked within those larger professional or corporate networks where software updates are often delayed, due to, among other reasons, concerns about possible impact on existing systems and technology.
5. Questions for IT Providers
As we have seen, the public healthcare sector in the UK was badly exposed to ransomware attacks and other malware, and is now in something of a bind in the aftermath of WannaCry.
However, there are major questions that must be asked by software and IT providers, particularly those with such massive market share as Microsoft. These questions do not so much relate to their security of their operating systems, as to the manner in which these systems are provided.
Understandably, Microsoft will be reluctant to continue offering free updates and patches for flaws in operating systems it regards as obsolete, but how will the company avoid finding itself in this position in the future.
Senior correspondent for Vox.com, Timothy B Lee, argues that the ultimate solution is for companies to sell software on a subscription rather than a ‘one-time purchase’ basis. The subscription revenue stream, Lee suggests, would enable Microsoft to continue offering security updates, patches and fixes for all versions of its software that customers wish to pay to use.
However, Lee acknowledges that the biggest obstacle to this is the preference of customers for the one-time purchase model. He also said that providers of subscription services would still have a huge backlog of customers who purchased software outright, and who expected their security upgrades indefinitely.
6. Conclusion: Double Down on Security
As with all types of crime, there is only a slim likelihood of creating an online environment that will ever be 100 percent secure from ransomware attacks by cyber opportunists who mounted the WannaCry attack.
And with the welter of issues to be resolved, by the civic authorities, by users, by organisations and businesses, by IT providers, it’s clear that there is not any time soon going to be a solution that’s even close to comprehensive.
While WannaCry appears to have been motivated by nothing more complex than extortion, the potential for more serious ransomware attacks couldn’t be spelled out any more clearly: next time exploiting similar cyber vulnerabilities but possibly motivated by darker political forces or more serious criminal intent.
In the meantime, organisations are urged to thoroughly audit their IT systems, to backup all of their data, and to remain ultra vigilant about the emails that they open.