May 15, 2017
A Simple Security Update Could Have Prevented Ransomware Attack
By Ashish Kumar Sen
“One of the lessons learned here is that people just do not patch their systems,” said Dmitri Alperovitch, a nonresident senior fellow in the Cyber Statecraft Initiative of the Atlantic Council’s Brent Scowcroft Center on International Security.
“The reality is: the vulnerability that was exploited was not a zero-day vulnerability,” he said.
In March, two months prior to the cyberattack, Microsoft issued a security update to protect vulnerable consumers. Nevertheless, hospitals, train stations, and other critical infrastructure failed to patch their systems.
“The most remarkable thing about this incident is that it is not that remarkable,” said Alperovitch, who is also the co-founder and chief technology officer at CrowdStrike, the cyber firm that was called in to handle the breach by Russia-backed hackers of the Democratic National Committee in 2016.
Noting that ransomware has been around for at least fifteen years, he said what made the latest attack unique was that it was an extremely virulent form infecting computers around the world.
The malicious software, or malware, used in the cyberattack first detected in Europe is transmitted via e-mail. Users who click on the e-mail are locked out of their data and receive messages that threaten to destroy this data if they do not pay a ransom. The initial ransom demand was for $300 in Bitcoins per infected computer. This amount doubled to $600 for the first victims on May 15. As of midday on May 15, $56,000 had been paid in ransom to the hackers, according to Elliptic, a Bitcoin forensics firm that is tracking the attack.
The malware goes by the names “WannaCry” or “Wanna Decryptor.” The cyberattack hit hospitals, universities, businesses, and home PCs; it raised worldwide alarm when it caused hospitals in the United Kingdom to mistakenly divert ambulances on May 12.
In April, a hacking group known as the Shadow Brokers released stolen software tools designed by the National Security Agency to infect and control computers that use Microsoft Windows software. The malware was based on this vulnerability.
In a blog post on May 14, Brad Smith, president and chief legal officer of Microsoft, wrote that the malware attack should serve as a “wake-up call” for the tech industry, consumers, and governments.
“This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support,” Smith wrote.
The planning behind the attack was not very sophisticated. In fact, all it took was a 22-year-old security researcher in the United Kingdom to accidentally discover a “kill-switch” and that stopped the initial attack from spreading.
It is still unclear who was behind the attacks.
Dmitri Alperovitch spoke in a phone interview with the New Atlanticist’s Ashish Kumar Sen. Here are excerpts from our interview.
Q: What lessons can governments draw from this cyberattack as they shape their cyber policies?
Alperovitch: The most remarkable thing about this incident is that it is not that remarkable. We have seen these types of worms in the past. This one is a very virulent form of ransomware that can spread very, very rapidly. That’s why it has got so much attention. Nothing here was that unique in terms of capabilities and certainly nothing that we haven’t seen before for at least fifteen years.
One of the lessons learned here is that people just do not patch their systems. The reality is, the vulnerability that was exploited was not a zero-day vulnerability. Microsoft had a patch for it back in March and you still had so many critical systems, hospitals, train stations, and other parts of critical infrastructure around the world where those systems really were not patched.
Q: Do you expect a second wave of attacks?
Alperovitch: We have already seen new variants coming up with new kill-switch domains. The original version was actually very quickly neutralized, really by accident, when a researcher in the UK registered a domain that the malware had called out to. By virtue of registering that domain he virtually neutralized the malware. After the initial hours of the attack really no one else was getting victimized if they were able to connect to his website. This weekend, we saw another version where the kill-switch domain changed. We will probably start to see more variants come out of this.
Ironically, because a lot of the computers that were infected over this weekend did not have their files encrypted, the users of those machines may not even realize that they are vulnerable, so new variants may be able to hit those machines doing more damage.
Q: What can users of compromised machines do after such an attack to secure their data?
Alperovitch: You should install a patch to make your system invulnerable to this particular exploitation. If you already have the malware in your system, you should install next-generation endpoint security solutions that use machine-learning/artificial intelligence and behavioral analysis to prevent malware from running.
The other thing that we should be thinking about as an overall hygiene solution is blocking these types of worms at the ISP layer by preventing network connections to SMB (Server Message Block) ports that allow this worm to spread.
We actually have not seen a tremendous amount of infections in the US and part of the reason is that many ISPs in the US actually block these network ports and prevent the worm from spreading. That is not necessarily the case is Asia or in some parts of Europe, and that’s one of the areas where we can see more improvement.
Q: It has been reported that the vulnerability on which the malicious software is based was initially published by a group called the Shadow Brokers, which had disclosed cyber tools developed by the National Security Agency. Is this a credible connection?
Alperovitch: Yes, certainly.
Q: How do you diminish the risk posed by government stockpiling their vulnerabilities?
Alperovitch: The vulnerability was already known. In this particular case, it was released by the Shadow Brokers, but it could have been discovered by a researcher and you would have had the same incident.
Q: How does this attack compare to previous ransomware attacks?
Alperovitch: Previous ransomware was not really of a worm variety. You basically had to click on a phishing e-mail to get yourself infected or visit a website that would exploit you. Once that machine was infected it would not necessarily try to infect anyone else in the network.
This one has spreading capabilities, which is one of the reasons why you have so many victims around the world. But we have seen, not necessarily ransomware, but worms like this in the past. In the early 2000s, there were many outbreaks of these worms like the Blaster worm, Nimda, and many others. In this case, it is very similar to those past incidents.
Ashish Kumar Sen is deputy director of communications at the Atlantic Council. You can follow him on Twitter @AshishSen.