Q&A: The ransomware cyber-attack fallout
Computers in 150 countries were attacked by WannaCry ransomware – we ask the experts what we’ve learned from the worldwide hack
Tech giant Microsoft has warned the global cyber-attack targeting 150 countries and more than 200,000 computers is a ‘wake-up call’ for governments worldwide.
The attack, which began on Friday, May 12, has seen businesses crippled by ransomware infecting their computers. The virus, WannaCry, took control of users’ files and demanded payment to restore access.
But the head of the European Union’s law enforcement agency, Europol, says the number of victims is still rising as the ‘worm’ continues to spread across networks.
We asked University of Melbourne experts Dr Vanessa Teague, Dr Chris Culnane and Dr Toby Murray, from the School of Computing and Information Systems, what we’ve learned from the attack and what it means for future security online.
Q: What is ransomware and how did this attack work?
A: Ransomware is a type of malware that encrypts the data on your hard disk in order to hold you to ransom. In order to get the decryption key a victim is asked to make a bitcoin payment.
This malware is distributed via infected email attachments as well as links to malicious websites. It then propagates through a network using a security hole in Windows. Once infected, the malware will access all hard disks and attached storage, encrypting your files and removing the unencrypted versions.
Q: This attack seems more widespread than previous hacks. Is that the case or is it just more visible?
A: This is much more sophisticated than previous ransomware attacks, which have relied predominantly on victims opening malicious email attachments.
The malware used in this attack is an adaptation of tools from the United States’ National Security Agency (NSA). The agency’s toolkit was stolen – the theft revealed when a hacking group calling itself Shadow Brokers started leaking documents around August last year.
Some of the information was made public, while they also attempted to auction off a set of tools. The exact date of the theft, and who was ultimately responsible for it, is not publicly known – and the attempt to auction off the exploit tools was not particularly successful, resulting in a number of tools being leaked by the group publicly in January.
The exploit used in this attack was not part of that leak. Microsoft released a patch (MS17-010) for the vulnerability in March 2017 for supported versions of Windows, and the toolset was leaked publicly by the group in April, supposedly in response to Trump’s action in Syria.
It isn’t publicly known whether Microsoft got lucky in releasing the patch in March, or whether they were given advanced warning, but due to the way enterprises update their systems, there can be a time lag until such security updates are applied to all machines. As a result, a single, compromised machine on a network could lead to all unpatched machines becoming infected. All it would take is one individual to open a malicious attachment or click on a malicious link.
It is also worth noting this attack could have been considerably worse.
A UK-based security researcher, going by the pseudonym MalwareTech, discovered the malware had what is called a ‘kill-switch’, which in this case meant the virus would stop spreading if a particular website existed.
Indeed, we’re lucky the people who made the ransomware didn’t disable that feature. The researcher in question discovered the website had not been registered and duly registered it himself, potentially preventing a much wider spread of the malware.
But quite why the malware developers included the kill-switch is still a mystery.
Q: Are hacks like this preventable? Many of us have had to update a security patch on a computer, but can they prevent something like this?
A: Writing code that aims to be bug-free is very expensive and is still not feasible for the vast majority of everyday software. A good example of cutting-edge development is the open source seL4 microkernel, developed by Data61.
seL4 contains about 10,000 lines of C code and has some of the strongest guarantees obtainable that it is free of security vulnerabilities.
Microsoft Windows, on the other hand, is thousands of times larger than seL4 – with some estimating its size at around 50 million lines of code. Trying to achieve the same guarantees of bug freedom for Windows is simply too large.
That said, such attacks can be mitigated against, but cannot be prevented entirely.
It is essential that organisations have strength in depth. Thorough and well-tested backup procedures are a first step. Regular updates to operating systems are equally essential. Above all else, organisations require skilled IT security staff to protect their networks and systems.
Applying good security practices is the responsibility of everyone within the organisation, with the example starting from the top down. Poorly conceived practices can make matters worse and give us all a false sense of security.
Q: Do we know who’s behind the attack and why they did it? Is the aim a purely financial one or is it more about disruption?
A: At the moment we just don’t know. The global impact of the attack indicates the primary objective is the extraction of money from victims. Current reports indicate the amount of money obtained has been relatively limited, however, that amount is likely to increase as more organisations continue their working week and have to deal with any infections.
Q: There was a lot of discussion after last year’s US Presidential election about the hacking of the Democrats’ database – this is a very specific target – but this attack seems more random?
A: There is currently no evidence to suggest this was particularly targeted, or that the primary objective of this attack was data extraction, as in the case of the attack on the Democrats.
However, as is often the case, the malware combines multiple compromises. In addition to the ransomware attack, a backdoor called Doublepulsar is also installed. This leaves an infected machine open to further attack and potential compromise of data. As such, the nature of the attack could change and we could see further consequences if machines containing sensitive data were compromised. It is too early to say whether any secondary attacks were launched to extract personal data, particularly in the case of the National Health Service (NHS) in the United Kingdom.
If they were, this would not be obvious. Nor would installing the patch solve the problem if the machine was already infected.
Q: The attack on the NHS saw emergency rooms shut and operations cancelled. Are we likely to see more incidents like this targetting large infrastructure?
A: It is not clear the NHS was specifically targeted, it is more likely the IT systems in the NHS were poorly protected and outdated, as a result of critical under-funding. As such, they were more susceptible to the attack. In particular, large parts of the NHS are still using Windows XP which is no longer supported by Microsoft.
This means those computers would have been particularly susceptible to the worm, and hence one compromised individual would have compromised every Windows XP on the network – which in the case of the NHS could have been many machines.
Microsoft has now released a patch for Windows XP as well, even though it is officially out of support. Running mission critical services on no longer supported operating systems is a recipe for disaster. If the NHS was not able to update to a supported version of Windows it should have considered switching to an open source alternative like Linux.
Q: Can these attacks be stopped and will it have any long-term impact on how we operate and protect ourselves online?
A: Malware typically exploits bugs and mistakes in software. We aren’t likely to see the eradication of all software bugs, so we should expect these types of attacks to keep happening. But developing an understanding of the risks and the mitigation strategies, along with deploying good security practices, is our best defence.
IT security requires both investment and a high degree of knowledge and experience. It is debatable whether our governments or businesses are adequately resourced to understand the threats or deploy the mitigating strategies. How many chief technology officers have the sufficient training to understand IT security?
If boards and governments see IT security as an inconvenience and a cost, rather than as an enabler for them to continue functioning in the face of a malicious onslaught, we will continue to see under-investment and attacks like this one having significant impact.
Q: Will this change the way we use networks and the internet in the future?
A: For anyone with an IT security background what has occurred is of no great surprise.
This should be a wake-up call to government and business to take IT security more seriously. As for whether it will change the way in which we do things, it is probably quite unlikely. This isn’t the first attack like this, and it won’t be the last.
Such attacks should be expected and plans should be made and tested to determine how to recover from them. If an adequate recovery plan cannot be formulated, then the system in question should not be online, and should have physical protection to try and mitigate against possible attacks.
However, such measures come at the cost of greater inconvenience to the end-user, and require widespread organisational change. It is perfectly possible to do, many high-security organisations will run separate networks to protect against attacks like this, but to do so requires buy-in from management and staff.
The question is whether organisations have sufficient willpower and understanding of the risks to make the right changes.
Q: Whose fault is this and what needs to change in future?
A: Many failures contributed to allowing this attack to happen.
Firstly, there’s a government failure to fund public sector IT sufficiently for basic safety. The UK’s NHS should never have been running critical services on machines that were too old to get security patches. This will continue to be a problem for as long as the true cost of skimping on cybersecurity is not understood
Secondly, there’s the failure of the public and private sectors to install a patch that was deployed (for modern versions of Windows) almost two months ago.
Then there’s the failure of Microsoft to produce secure software.
And finally, there’s the controversial issue that the exploit at the heart of this attack was discovered by NSA and used in its own toolkit for gaining unauthorised access to machines. The existence of the vulnerability was only disclosed when the NSA toolkit was stolen earlier this year. This represents a dangerous gamble: the assumption that an unpatched security hole will be exploited only by law enforcement agencies and spies on your own side.
Microsoft’s president has now likened this attack to “the US military having some of its Tomahawk missiles stolen” and has called for a Digital Geneva Convention, to address nation states exploiting and hoarding known vulnerabilities.
A well-secured fortress has multiple layers of security so that if one fails the others will defend the city. Here we saw every single layer fail.
Banner image: Wikimedia