The global malware infection WannaCry spread across computers in over 48 NHS organisations in May 2017, raising questions about how protected NHS data are. Matt Willis explains how these attacks happen and writes that, although healthcare organizations are a prime target, it is unlikely that the NHS was deliberately attacked.
On Friday, May 12 2017, a global malware infection of over 230,000 computers across 150 countries occurred. The name of the ransomware software that created problems for over 48 NHS organizations across England is called WannaCry. While the name WannaCry also indicates the feelings of the user whose computer becomes infected by the worm, the name is actually a portmanteau of Wanna Decryptor. It’s also known as WCry or WannaCrypt. The devious nature of ransomware is due to its encryption of the entire hard drive of the infected machine. This makes it difficult, or in some cases impossible, to decrypt and regain access to both the physical computer and data on the infected computer. The “ransom” part of the term comes from the payment demands of the author of the software, usually in untraceable bitcoin, in exchange for a key that will decrypt the machine.
WannaCry exploits a known vulnerability in the Server Message Block (SMB) protocol of the Microsoft Windows operating system. SMB is a protocol primarily used in Windows networking that allows the sharing of printers and files across the network. Over 98% of infected computers run the most widely adopted version of Microsoft Windows: Windows 7. Microsoft released a patch for this vulnerability back in March with the MS17-010 – Critical Security Bulletin. Since the worm has spread itself through vulnerable SMB ports, though some infection through direct phishing in email is theoretically possible, much of the damage could have been prevented by application of security patches as they are released.
Ransomware has been a reality on the internet for over a decade. Prior to WannaCry another well-known ransomware attack was the CryptoLocker event in 2013. Healthcare organizations are a prime target because they rely on critical data and are more likely to pay a ransom fee when patient lives are at stake. Last year, hospitals in California were hit with similar ransomware. Methodist Hospital in Kentucky was infected with “Locky” through a Microsoft Word email attachment that contained malicious code. Ransomware continues to become increasingly sophisticated and clever.
WannaCry became a global event because of its ability to propagate through unpatched computers, allowing it to spread both laterally across an internal network, for example across a hospital network, and also across the internet looking for other vulnerable unpatched computers. It is unlikely that NHS was a direct target of this recent strain of ransomware. Evidence suggests that the first infection, the patient zero of WannaCry, started in Asia around 7.44am UTC. From that point it was about six hours until the worm likely found its way to an unpatched NHS computer connected to the internet, and that happened again and again resulting in the infection of 48 organizations.
WannaCry may be visualized as an assemblage of technologies that rely on each component to make infection, deployment, encryption, and replication possible. The key technology that made this process novel is a so-called cyber weapon purportedly developed by the United States National Security Agency (NSA) called EternalBlue. EternalBlue was leaked on April 14 and provided the knowledge to exploit vulnerable SMB ports. Without the EternalBlue exploit, the worm would be relegated to traditional methods of propagation, such as targeted phishing emails that use social engineering techniques to get people to click on links and open seemingly mundane documents that surreptitiously execute malicious code.
The existence of EternalBlue raises an important ethical issue. Should intelligence agencies and organisations hoard these exploits? There is money to be made in the hunt for exploits, rather than reporting them, and covertly selling the knowledge to the highest bidder so that at a later point, as with WannaCry, either a foreign adversary or malicious actor desirous of economic gain or political subterfuge can actuate the exploit. The use of cyber weapons and the market created for software exploits and vulnerabilities has received attention from public technology companies. Recently, Microsoft President Brad Smith called on governments and agencies to cease stockpiling exploits and vulnerabilities for offensive use, and to instead work with technology companies and developers to defensively fix vulnerabilities.
Smith compares destructive software technologies that governments develop and then lose control of to the theft of a tomahawk missile from the military. Given that more objects are connected to the internet, contain a microprocessor, and are run by software, the analogy does not seem irrational. There are, of course, physical control challenges to keeping that tomahawk missile secure and the government has recourse in the event of a stolen missile. It can marshal resources to defend suspected targets and take action to regain control of the missile. This is not as straightforward in the event of a stolen cyber weapon. How can civilian networks and both private and public companies be defended? How does one defend against a digital weapon that partially exists because it relies on the obscurity of a particular system bug, vulnerability, or characteristic?
Ransomware attacks have real financial impact associated with them, for both the victims and for the developers of these worms. In the US alone, a ransomware attack can pack an economic punch of over $23 million in losses. Contrast this with the approximately $3 million the authors of the CryptoLocker ransomware made from the initial release.
Security experts recommend that a victim of ransomware never pay the ransom as there is absolutely no guarantee that the developers of the ransomware intend to decrypt files and grant access to data. Even if that data is unencrypted, there may be new vulnerabilities, backdoors, and exploits that remain on the system. Yet, in desperate attempts and a little blind faith, people cast a bitcoin into the void hoping to get their digital lives back. To this point, here is a twitter bot that watches the bitcoin accounts (called wallets) that accept payments from the WannaCry ransom. At the time of this writing a total of $120,768.66 has been collected across the three wallets. Once a bitcoin wallet is cashed out, the risk of detection grows as a bitcoin exchange must convert the virtual currency into a fiat currency. Zero withdrawals have been made so far.
Matt Willis is Researcher in the Oxford Internet Institute at the University of Oxford.