First, ransomware is a growing menace, and this may be the case that gets it global attention. The idea behind ransomware is simple: no one is willing to pay as much as you are for your data. Instead of copying critical data and trying to sell it to others, ransomware authors will simply deny their target access until payment is made. Documents or medical records might not have much resale value, but if a hospital needs them to operate, they suddenly become very valuable. With data decryption usually priced in the hundreds of dollars, many organisations find it easier to pay and move on; the leading cybersecurity firm Trend Micro recently researched UK organisations who have been targeted by ransomware in the past two years and found that almost two-thirds of those attacked paid the ransom. Organisations that have paid include hospitals and police departments, as well as countless companies.
Second, what made the WannaCry ransomware so powerful is how quickly it spread. It took advantage of a vulnerability in a part of the Windows operating system known as Server Message Block—the same vulnerability that had been previously exploited by the United States National Security Agency and that was made public by an unknown group known as The Shadow Brokers. It appears that the WannaCry ransomware was often delivered by a social engineering email. Once it was opened, this vulnerability in Windows systems enabled the malicious code to spread quickly across an organisation’s network, infecting not just one computer, but many.
Pieces of malicious code that employ this self-spreading technique are called “worms.” While the cybersecurity world has seen worms before—the Stuxnet attack carried out against the Iranian nuclear program is probably the most famous—WannaCry quickly became the most significant piece of “wormable” ransomware to exist. It probably won’t be the last.
Third, and perhaps more important: like the emperor’s new clothes, even this new-fangled ransomware isn’t as sophisticated as it’s cracked up to be. Most ransomware attacks can be prevented by good cybersecurity practices. In this case, the Server Message Block vulnerability in Windows that WannaCry exploited had been fixed by Microsoft before the details became public and before the WannaCry code was written. Anyone who applied the March security update to Windows didn’t have any trouble with WannaCry. Most fortunate of all, the authors of WannaCry seemed to make a fairly basic mistake that bought network defenders critical hours. When a security researcher—who remains anonymous and goes by the pseudonym MalwareTech—registered a domain name to which the malicious code was attempting to connect, he rendered the code inert. This likely spared thousands of people from having their data locked away.
There is a clear lesson for all of us from this incident: cybersecurity can be hard, complex, time-consuming, and expensive—but not impossible, especially against comparatively unsophisticated criminals. There is never a silver bullet solution, but there are a lot of small things that can go a long way. For organisations and individuals, chief among these is making sure that the software they run is kept up to date. Patching is often harder than it sounds, but it is a task that deserves significant attention by network defenders. In systems that aren’t easily patched—such as some medical devices—network defenders should take care to make sure those systems aren’t easily accessible. In an era of wormable ransomware, it’s too dangerous to have any one computer be an entry point to the entire network and a single point of failure. If that lesson wasn’t clear before, perhaps this past week will be a much-needed wake up call.
Ben Buchanan is a Postdoctoral Fellow at Harvard University’s Cybersecurity Project, where he conducts research on the intersection of cybersecurity and statecraft. His first book, The Cybersecurity Dilemma, was published by Hurst and Oxford University Press in 2017. Previously, he has written on attributing cyber attacks, deterrence in cyber operations, cryptography, election cybersecurity, and the spread of malicious code between nations and non-state actors. He received his PhD in War Studies from King’s College London, where he was a Marshall Scholar, and earned master’s and undergraduate degrees from Georgetown University. You can follow him @BuchananBen on Twitter.