How a perfect storm allowed a global ransomware attack to happen
Replicating conditions that allowed for Friday's attack will be hard for criminals, experts say
The cyberextortion attack hitting dozens of countries spread quickly and widely thanks to an unusual confluence of factors: a known and highly dangerous security hole in Microsoft Windows, tardy users who didn't apply Microsoft's March software fix, and a software design that allowed the malware to spread quickly once inside university, business and government networks.
Not to mention the fact that those responsible were able to borrow weaponized software code apparently created by the U.S. National Security Agency to launch the attack in the first place.
- 'This is child's play,' expert warns after global cyberattack on schools, hospitals
- Dozens of countries affected by ransomware cyberattack
Other criminals may be tempted to mimic the success of Friday's "ransomware " attack, which locks up computers and hold people's files for ransom. Experts say it will be difficult for them to replicate the conditions that allowed the so-called WannaCry ransomware to proliferate across the globe.
But we're still likely to be living with less virulent variants of WannaCry for some time. And that's for a simple reason: Individuals and organizations alike are fundamentally terrible about keeping their computers up-to-date with security fixes.
The worm turns... and turns
One of the first "attacks" on the internet came in 1988, when a graduate student named Robert Morris Jr. released a self-replicating and self-propagating program known as a "worm" onto the then-nascent internet. That program spread much more quickly than expected, soon choking and crashing machines across the internet.
The Morris worm wasn't malicious, but other nastier variants followed — at first for annoyance, later for criminal purposes, such as stealing passwords. But these worm attacks became harder to pull off as computer owners and software makers shored up their defences.
So criminals turned to targeted attacks instead to stay below the radar. With ransomware, criminals typically trick individuals into opening an email attachment containing malicious software. Once installed, the malware just locks up that computer without spreading to other machines.
The hackers behind WannaCry took things a step further by creating a ransomware worm, allowing them to demand ransom payments not just from individual but from entire organizations — maybe even thousands of organizations.
The perfect storm
Once inside an organization, WannaCry uses a Windows vulnerability purportedly identified by the NSA and later leaked to the internet. Although Microsoft released fixes in March, the attackers counted on many organizations not getting around to applying those fixes. Sure enough, WannaCry found plenty of targets.
Since security professionals typically focus on building walls to block hackers from entering, security tends to be less rigorous inside the network. WannaCry exploited common techniques employees use to share files via a central server.
"Malware that penetrates the perimeter and then spreads inside the network tends to be quite successful," said Johannes Ullrich, director of the Internet Storm Center at the SANS Institute.
"When any technique is shown to be effective, there are almost always copycats," said Steve Grobman, chief technology officer of McAfee, a security company in Santa Clara, Calif. But that's complicated, because hackers need to find security flaws that are unknown, widespread and relatively easy to exploit.
In this case, he said, the NSA apparently handed the WannaCry makers a blueprint — pre-written code for exploiting the flaw, allowing the attackers to essentially cut and paste that code into their own malware.
Mikko Hypponen, chief research officer at the Helsinki-based cybersecurity company F-Secure, said ransomware attacks like WannaCry are "not going to be the norm." But they could still linger as low-grade infections that flare up from time to time.
For instance, the Conficker virus, which first appeared in 2008 and can disable system security features, also spreads through vulnerabilities in internal file sharing. As makers of anti-virus software release updates to block it, hackers deploy new variants to evade detection.
Conficker was more of a pest and didn't do major damage. WannaCry, on the other hand, threatens to permanently lock away user files if the computer owner doesn't pay a ransom, which starts at $300 US but goes up after two hours.
The damage might have been temporarily contained. An unidentified young cybersecurity researcher claimed to help halt WannaCry's spread by activating a so-called "kill switch." Other experts found his claim credible. But attackers can, and probably will, simply develop a variant to bypass this countermeasure.
The attack is likely to prompt more organizations to apply the security fixes that would prevent the malware from spreading automatically. "Talk about a wake-up call," Hypponen said.
Companies are often slow to apply these fixes, called patches, because of worries that any software change could break some other program, possibly shutting down critical operations.
"Whenever there is a new patch, there is a risk in applying the patch and a risk in not applying the patch," Grobman said. "Part of what an organization needs to understand and assess is what those two risks are."
Friday's attack might prompt companies to reassess the balance. And while other attackers might use the same flaw, such attacks will be steadily less successful as organizations patch it.
Microsoft took the unusual step late Friday of making free patches available for older Windows systems, such as Windows XP from 2001. Before, Microsoft had made such fixes available only to mostly larger organizations that pay extra for extended support, yet millions of individuals and smaller businesses still had such systems.
But there will be other vulnerabilities to come, and not all of them will have fixes for older systems. And those fixes will do nothing for newer systems if they aren't installed.