The past few days were quite busy in the world of IT security thanks to the WannaCry ransomware attack. It was an event that should have been much less problematic than it turned out to be.
While the media focuses mostly on who did it and why, the tech world has a different issue. It’s the realization that such attacks will only get stronger and more often with time. And also the realization that there’s a lot that should have already been done, but hasn’t.
Back to the present
The tech industry prides itself for being fast and focused on the future. Sadly, the reality is a bit different it seems. While the tech industry has indeed been working for the future, it’s doing so on aging infrastructure and a host of issues that are decades old, but no one seems to want to fix. There were quite a few issues over the years with OpenSSL, SS7 and several serious hacks on big names like Sony Pictures, Yahoo. It seems even the people who should be able to hack the hackers (the NSA) got hacked. At least that’s the official story on how the WannaCry malware got so effective.
It seems that hackers stole various vulnerabilities that the NSA has been stockpiling and then used it to modify WannaCry and launch a mass scale cyber attack. In total over 200 000 machines were targeted in the first wave, including names like Renault, Telefonica and even the British National Health Service. The ransomware locked the infected computers and demanded 0.3 Bitcoins as payment (about $300) to decrypt the files. Depending on where you read, the hackers made between $25 000 and $50 000 from victims.
Ironically, the attacked was stopped by chance. A security researcher found that the malware was pinging an unregistered domain before each infection. So, he decided to register it in order to monitor the traffic. It turned out, that’s a “kill switch” for the malware. WannaCry was checking that the domain remains unregistered. If it does – then the researchers haven’t found out about it yet. If it returns a ping that the domain is registered, the malware stops spreading.
And then the real kicker. WannaCry uses a vulnerability that Microsoft actually patched in March. So, if you use a version of Windows which is currently supported by MS and update it on a regular basis, then you should be fine. The company then even made an exception and released a patch for older versions of Windows dating back to XP and Server 2003 to make sure WannaCry is dealt with.
Why are we still thinking it won’t happen to us?
But the question stands. Why are big companies and institutions using old and/or unpatched software? Keeping updated is the absolute basic cybersecurity thing that one can do and should do. It’s 2017 and the digital age so explanations like “it’s too costly” or “too complicated” simply don’t hold ground. The fact of the matter is that WannaCry was a classic cyberattack that just happened to use a mass vulnerability. It wasn’t a highly specific campaign like Stuxnet for example.
And WannaCry started simple – like a classic phishing scam. It lured a few users to download and open the infected attachment and then used the Windows vulnerability to spread via filesharing between systems and organizations. So, if the IT world still falls victim to pretty much basic cyberattacks, what’s to stop the hackers from a much more serious and targeted campaigns with severe consequences?
But there is something good that comes out of the whole WannaCry debacle. It should be the wakeup call for organizations and institutions that cybersecurity is not simply a good thing to do. It’s a vital component of any digital strategy. It’s also important for your business’ reputation. It doesn’t matter if you run a small online store or a huge multinational corporation. If you get hacked and your customers’ data is breached, that’s going to hurt your business a lot.
The WannaCry attack also highlights the need for additional cybersecurity education. You may have the best security team and tech, but if your employees still don’t know the basics of phishing for example, your tech won’t do much. And you can’t really prioritize one over the other. Cybersecurity is a team effort for all involved – from the vendors, to the organizations, their management and employees. There’s a lot of work to do and it has to be done as soon as possible in order to minimize the risks and be better set up for the digital age we are now living in.