Last Friday around lunchtime employees at several NHS hospitals around the UK received an e-mail stating a number of servers were down. Then, one-by-one, their workstations began displaying the now tell-tale red and white background. So started the tsunami-like wave of what is being called the “Wanna Decryptor” or “Wanna Cry” ransomware virus epidemic. After the initial wave, 16 NHS hospitals were reported to be sending non-critical ER patients elsewhere and had to shut down non-essential activities for several hours until tech teams could pull unaffected backups and roll systems back to known-good points. The virus appeared on workstations, MRI scanners, blood-storage refrigerators, and theater equipment; all were running Microsoft Windows OS platforms of varying versions.
HOW STRONG ARE YOUR CONTROLS AGAINST CYBERSECURITY THREATS? DON’T WAIT UNTIL IT’S TOO LATE TO FIND OUT. CONTACT OUR RISK ADVISORY SERVICES TEAM
Once news organizations began reporting on the UK NHS snarl, a multitude of other organizations around the UK, Spain, Taiwan, Russia, India, and Ukraine began reporting their own cases. Automakers Nissan and Renault had to temporarily shut down assembly lines, and a Spanish telephone company went dark for a few hours. All told, cases were reported in over 75 countries, and the impacts are still being assessed. There are some fascinating bits of intrigue floating around the story as well, including information that this virus was rumored to be based on a stolen NSA hacking tool called ETERNAL BLUE, and information that may tie the release of the ransomware itself to cyber espionage activities in North Korea.
The virus itself must be downloaded by a “patient 0” through an infected hyperlink in an e-mail or website, or it can enter a network through a vulnerable port. Once downloaded to the device, the virus copies and encrypts the majority of files on the device, deletes the originals, creates a “read-me” file with instructions on the ransom, and changes the background of the device interface to display the instructions. At that point, the device is pretty much irreparable. There doesn’t appear to actually be a place to pay the ransom, and users that did pay the ransom didn’t receive the decryption key.
The sad part of all of this is that the epidemic was entirely preventable. Microsoft released a patch in March for users to install that would prevent the spread of the virus. The patch was for all supported Windows OS platforms, including Vista and up on the consumer side and Server 2008 and up on the server side. The patches didn’t cover Windows XP or Server 2003 because those are no longer vendor-supported, but emergency patches were released for both of those the day after the initial cases were reported. If users and tech staffs had just downloaded and installed the patches when they were released, they wouldn’t have been vulnerable to begin with.
The lesson in all of this appears to be that we need to take the patching of our systems much more seriously. For whatever reason, those hit either chose to not patch their systems regularly (thereby preventing the infection entirely), or they chose to operate on platforms that were no longer supported by the vendor which didn’t have a patch to apply prior to the release of the virus. Unfortunately, that delay caused real-world consequences for many of those when their organizations came to a standstill this week while they dealt with the virus. In addition to regular patching, this virus also highlights the need for solid backup programs that are run regularly, kept offline (to avoid infection), and tested periodically (to verify they work). Based on reports, it sounds as if most of the large organizations hit had good backups in place and were able to respond relatively quickly to get those backups in place and running within a relatively short time frame. However, I’m sure there were plenty of organizations that didn’t have good backup programs in place, and they’re finding that out the hard way. Last, but certainly not least, end users are once again front and center in this story. Viruses like WannaCry are typically spread via e-mails and websites that include infected links, so the vigilance on the part of end users remains the key to avoiding them.
Laura is a Manager with YHB and serves on the Risk Advisory Services Team. Laura focuses on assisting organizations in a variety of industries with IT-related audit and consulting services.