The WannaCrypt ransomware worm, aka WannaCry or Wcry, has reportedly infected hospitals, businesses, railway stations and universities in over 100 countries at the time of writing. It works by encrypting as many files as it can find on your computer and then demands an escalating ransom (depending on how quickly you respond) to unencrypt your files.
So what can be learnt from this incident?
Rather than concentrating on the purely technical aspects, it might be useful to examine the human elements in this story.
Wikileaks
The whistleblowing organisation began releasing their “Vault 7” files in February 2017 which included malware allegedly created by the CIA to exploit vulnerabilities that they had identified in operating systems. It is believed that one of these tools, EternalBlue, was used as the basis for the worm.
Windows XP
Following the release of “Vault 7” which provided the tools that Intelligence Agencies were exploiting to hack people of interest, Microsoft quickly provided a patch for Windows XP and other retired platforms. Considering that this was an out-of-support product this was over and above what could be considered to be their obligations.
Not applying latest patches
There can be a painful distinction between being cutting-edge and bleeding-edge. If you’ve ever experienced the difference then you may find it understandable that some people will defer applying the latest patches in fear of them stopping something else working. “Better to sit back and see how everyone else gets on first…” is not an uncommon or unreasonable stance. It is however not without risk.
Encryption
There is an ongoing battle between the public, privacy groups, providers and governments over the public having access to powerful encryption methods, such as the type used by this worm. Most of the public want strong encryption so that their data cannot be compromised by unauthorised access.
The downside to this technology is that if someone else encrypts their data, they are locked out of their own files.
Media
The hero in uncovering the “kill switch” that prevented the further spread of the worm was unmasked by the media despite asking for privacy. This act might unfortunately make other privately minded tech wizards to think twice in future before communicating widely on such matters…
So who IS to blame?
Let us recap:
- Society expects to be protected from “bad people”.
- The Intelligence Community allegedly created tools to exploit vulnerabilities in order to monitor “bad people”.
- Whistleblowers think that we should know about these tools and release them. This forces providers to deliver fixes and thus make the tools that track “bad people” redundant.
- The public want strong encryption, just like the type used in this worm to prevent unauthorised access to their data.
- Reluctant / lazy / experienced / inexperienced / feckless humans fail to apply patches for a variety of reasons.
- “Bad people” anticipate actions of reluctant / lazy / experienced / inexperienced / feckless humans and take advantage. They utilise the very tools that were created by the spooks to track them, and use them to hack others. They then employ the very encryption that the public wants, against them.
All of the above groups felt that they were doing the right thing.
(Well, apart from the “bad people”… )
So rather than point the finger at the IT Manager/CIO/CISSP maybe it is time we all step back and see if we have played our own small part in this…
And for those of you that just have to know how it worked, you’ll find an excellent analysis here.
This should be a wake up call to the NHS that investment in IT is just as important as investment in clinical services.
People on Twitter were blaming the Government saying that the NHS had no money to upgrade from Windows XP. But I don’t believe that Barts Hospital NHS Trust, for example, don’t have the funds required.
But it goes further than just upgrading the Operating System. Have these NHS Trusts invested so that their systems and staff are equipped to deal with modern threats? Antivirus software isn’t enough anymore. Organisations should be employing advanced threat detection solutions that sandbox programs and allow them to run in a secure environment, while analysing their behaviour.
The final link in the chain is the end users. Basic computer knowledge in the NHS is often woeful, leading to users opening attachments which they really shouldn’t. Perhaps basic IT skills should be a part of every staff member’s job description.
It is unbelievable that XP is still being used in the NHS. Microsoft gave plenty of notice that they were ceasing support years ago. It is not particularly expensive to upgrade to newer OS versions. If a legacy system can only run on XP then it should be retired.
As should the staff and Execs that allowed this.
So basically it is our fault or at least part of it. We’ve all got our own interests at heart resulting in this mess.
I do wonder why the Uk and rest of the world were more effected than the US.