Ransomware may be mostly thought of as a (sometimes costly) nuisance, but when it hinders the ability of doctors and nurses to provide aid to those in need of emergency medical care, then it qualifies as armed robbery.
On Friday, a quickly spreading, nasty piece of malware crossed mountains and oceans to infect more than 70,000 machines around the world in a matter of hours. Among those infected were more than a dozen hospitals in England, a telecom in Spain, FedEx’s offices in the United Kingdom, and apparently, the Russian Interior Ministry. Within half a day, there were instances detected on six continents.
What’s sad is that this was all largely preventable, had more Windows users simply installed the security patch Microsoft released for it two months ago. (Unless you’re one of the 8.45 percent of users still running Windows XP, which hasn’t been supported for three years.)
Here’s what happened: Unknown attackers deployed a virus targeting Microsoft servers running the file sharing protocol Server Message Block (SMB). Only servers that weren’t updated after March 14 with the MS17-010 patch were affected; this patch resolved an exploit known as EternalBlue, once a closely guarded secret of the National Security Agent, which was leaked last month by ShadowBrokers, a hacker group that first revealed itself last summer.
The ransomware, aptly named WannaCry, did not spread because of people clicking on bad links. The only way to prevent this attack was to have already installed the update.
Through the ExternalBlue exploit, the malware installed an NSA backdoor payload called DoublePulsar, and through it went WannaCry, spreading rapidly and automatically to other computers on the same network—potentially hundreds at a time.
“Whereas ransomware such as Locky normally requires user interaction, such as opening a word document, WannaCry has the capability to spread automatically,” AlienVault threat engineer Chris Doman told Gizmodo. “Thankfully a weakness in the method of propagation has allowed researchers to take control of a piece of attacker infrastructure and limit new infections—it could have been a lot worse.”
Unfortunately, it looks like attacks might make some serious bread for their efforts. Researchers combing through samples of the ransomware have already discovered several bitcoin wallets in which thousands of dollars have been deposited. It’s fine to say we shouldn’t negotiate with hackers demanding ransom—though the people who say that almost always do—but when the target is an emergency room, and lives are at stake, there’s really no choice.
If you think you might be vulnerable to WannaCry, or you don’t remember installing any updates over the past month, your first step is to address that issue immediately. As Sean Dillon, the RiskSense security analyst who reverse engineered DoublePulsar, told ThreatPost: “This is the most critical Windows patch since [Conficker],” which is one the largest similar infections to date.
Despite having been patch nearly a decade ago, the Conficker worm is still in circulation. “I find it everywhere,” says Dillon, adding that WannaCry, too, “is going to be on networks for years.”
The importance of downloading and installing security updates (as opposed to just clicking “remind me tomorrow” for several weeks in a row) cannot be overstated. Just ask the patients of the 16 hospitals in England whose delay in care could have been easily avoided.