On Friday, May 12, a number of National Health Service (NHS) facilities in the UK reported that their computers suffered a ransomware attack, and started causing a significant impact on operations. Ransomware, a form of malware that infects a computer and encrypts files until the user pays a ransom (usually in Bitcoin) to recover them, has made news headlines over the last few years, but this may be the most prominent such attack to date. The NHS’s public statement asserts that the ransomware did not intend to target its facilities specifically, and other news outlets report attacks against other, unrelated organizations in different countries. The story continued to unfold.
This piece of malware, known as WannaCry, appears to bear similarities to known ransomware called Wanna Decryptor, which, up until 48 hours ago, did not appear to be a major player in the ransomware space. Further, the malware appears to use an exploit in Microsoft Windows operating systems that was allegedly part of a tool set used by the NSA and disclosed to the public recently by a group calling itself the Shadow Brokers. Despite this, Microsoft published the fix to the underlying vulnerability in March of this year.
This attack has some additional and unusual attributes. If it does derive from tools used by nation state intelligence services, it clearly showcases the link between the use of attack tools for intelligence purposes and when disclosed, their eventual use for more ordinary criminal purposes. This also has had an unusually significant effect on one of its most prominent victim. Although the NHS wasn’t necessarily the intended target, and certainly not the only victim, the attack has rendered health care staff unable to access patient data or systems used for patient care, and this has directly impacted the ability of these facilities to offer their health care services.
A few points of good news emerged over the weekend. In one, a UK-based researcher discovered a kill switch for the malware: registering a particular domain would cause the ransomware function to cease, which prevented many further attacks from happening, although it did not help anyone already affected. Further, Microsoft announced patches for some of its unsupported operating systems, namely Windows XP, Windows Vista, Windows 8, and Server 2003. This applies only to this particular vulnerability, however, and doesn’t represent a general return to support for these operating systems.
While the extent of this attack continues to unfold, and the public waits for more analysis of the particulars, this attack reiterates a few very essential points.
- Attacks get better and not worse. This not only means that unlikely or difficult to exploit situations get more accessible to less skilled attackers, but that the scale and effect of attacks also grows. For this reason, Microsoft has openly criticized intelligence services for hoarding otherwise unknown vulnerabilities rather than disclosing them to the software vendors and allowing everyone to obtain the necessary software updates.
- Ransomware asking for a few hundred dollars in Bitcoin has significantly impacted one of the most prominent health care systems in the world. If an attacker looking for a relatively meager ransom was able to make use of an intelligence agency’s attack platform, then we’ve only just begun to see attacks of this scale on a regular basis.
- Microsoft released a patch two months ago. But for NHS and some other organizations, they either didn’t install the patch in time, or continued to make use of outdated operating systems and couldn’t obtain a patch for the version of their software. While the new patch release from Microsoft will impact this particular vulnerability, organizations running unsupported or unpatched software have an urgent need to replace these systems with supported components.
Unfortunately, the basics of good security hygiene, namely aggressively applying security updates, continue to elude many organizations, which, when faced with even a modestly sophisticated attacker, can yield frightening results.
About the Author
Jacob Ansari is a Manager at Schellman. Jacob performs and manages PCI DSS assessments. Additionally, Jacob oversees other Payment Card Industry assessment services, namely PA-DSS and P2PE. Jacob’s career spans fifteen years of information security consulting and assessment services, including network and application security assessments, penetration testing, forensic examinations, security code review, and information security expertise in support of legal matters. Jacob has performed payment card security compliance assessments since the payment card brands operated their own standards prior to the advent of PCI DSS. Jacob speaks regularly to a variety of audiences on matters of information security, incident response, and payment card compliance strategy.More Content by Jacob Ansari