Why Was Wanacrypt0r 2.0 So Successful?
On 12th of May 2017, unknown hackers launched a large-scale global ransomware attack. It affected more than 230,000 computers. The ransomware (WanaCrypt0r 2.0) used for conducting the attack was based on the EternalBlue exploit created by the U.S. National Security Agency (NSA). Although in March 2017 Microsoft released a security patch addressing the vulnerability used by EternalBlue, a large number of computers were not protected at the time of the attack. What distinguishes WanaCrypt0r 2.0 from other types of ransomware is its ability to spread itself as wide as possible. So, it is not just ransomware, but also a computer worm (i.e., a self-replicating malicious program).
In this article, we will discuss at least four reasons for the success of the attack, namely, public availability of governmentally-created cyber weapons (Section 2), the lack of security awareness amongst the employees of the affected organizations (Section 3), the slow reaction of the developers of anti-virus software (Section 4), and the lack of security updates for old operational systems (Section 5). At the end of the article, a conclusion is drawn (Section 6).
2. Public availability of governmentally-created cyber weapons
Taxpayers in most countries pay significant chunks of their salaries to their governments. In return, governments provide them with various services, including services related to cyber-security matters. In this particular case, the National Security Agency (NSA) invested human and financial resources in developing an exploit which was used to harm legitimate organizations located not only in the United States but also in other 149 countries. The attack clearly shows that governments should not develop “cyber-weapons” if they cannot ensure that they are well-secured. If this simple rule is not followed, governments will be transformed in Research & Development departments of criminal organizations.
To avoid cyber disasters, such as the attack discussed in this article, governments should also make a cost benefits analysis estimating the advantages and disadvantages of developing “cyber-weapons” on the basis of security vulnerabilities instead of putting their best efforts to inform the citizens of their countries about those vulnerabilities quickly. It may appear that taxpayers will benefit much more from knowing how to prevent mass cyber-attacks than from secret exploits developed to protect their countries.
3. Lack of security awareness amongst the employees of the affected organizations
WanaCrypt0r 2.0 spreads itself through phishing emails. So, it is not a revolutionary ransomware that suddenly conquered the world. It is a simple ransomware scheme that became so successful because the affected organizations lacked security awareness necessary for avoiding infections. In this context, the security firm ReaQta noted: “[From] what we have seen so far, this ransomware appears to be less sophisticated than Cryptolocker, CTB-Locker or Cryptowall, but it is certainly not less dangerous.” Furthermore, some analysts argue that, considering the low amount of the requested ransom (USD 300), the people behind it are entry-level hackers. Otherwise, they would have asked for more money.
We will probably never know how many of the victims of WanaCrypt0r 2.0 adopted well-written anti-phishing policies. However, we may speculate that the enforcement of such policies would have prevented most of the attacks. Below, we briefly summarize the five elements of anti-phishing policies.
First, an anti-phishing policy needs to explain how the employees of the organization adopting the policy can recognize phishing emails. For example, the policy can state that the employees need to:
- examine the links in the attached email without clicking on them;
- check whether the phishing emails contain spelling mistakes;
- analyze the salutation (phishing emails usually do not address the victims personally);
- learn how to recognize “spoofed” email addresses, i.e., email messages with forged sender addresses.
Second, the policy needs to provide information on how and to whom to report phishing incidents. For instance, the policy may contain a form which should be completed by an affected organization and sent to a security expert. The form may require the insertion of information, such as the time when the incident occurred, the type of the accident (e.g., opening malicious attachments or clicking on malicious links), and the consequences of the accident (e.g., loss of information or ransomware requests).
Third, the policy needs to propose an incident-response plan for recovery of phishing attacks. The plan may, for example, consists of the following steps: (i) identifying the type of the attack; (ii) eradicating the components of the incident; (iii) restoring systems to normal operation; (iv) learning from the incident; and (v) adopting preventive measures aiming to prevent similar incidents in the future.
Fourth, the policy needs to impose restrictions on sending personal information to third parties. The reason is that phishing emails often ask their recipients to provide personal information to phishers. The provided personal information is usually used for conducting identity theft, credit card fraud, and other crimes. The policy may state that employees of the organization should never send the following types of information to third parties: (i) credit card information; (ii) bank account information; (iii) social security numbers; (iv) identity card copies; (v) financial information; and (vi) other sensitive information.
Fifth, the policy needs to oblige employees to undertake regular training aiming to increase their information security awareness about phishing. The training can be in the form of an online course or workshop. It may be followed by a test aiming to assess the anti-phishing skills of the trainees. Particular attention should be paid to preventing spear phishing (i.e., phishing targeting specific organizations). This is because spear phishing messages are difficult to detect.
4. The slow reaction of the developers of anti-virus software
WanaCrypt0r 2.0 is a fairly simple ransomware which has been affecting computers since March 2017. Many developers of anti-virus software included protections against WanaCrypt0r 2.0 in their products. However, plenty of them did not do so, thus making the global outbreak possible.
One of the reasons for the failure of many anti-virus software programs to detect WanaCrypt0r 2.0 is that they just prevent specified lists of malware from being downloaded and executed on a computer and mitigate the post-infection damages. This type of anti-virus software should be updated on a regular basis to reflect new malware. Some more intelligent anti-virus programs address this problem by basing their protection not only on a pre-defined list of malicious programs but also on an analysis of malicious behavior. Thus, such anti-virus programs will detect a malware program even if it is not included in a pre-existing list of malware. To illustrate, Barkly’s runtime malware defense blocks WanaCrypt0r 2.0 before it encrypts files.
5. Lack of security updates for old operational systems
WanaCrypt0r 2.0 affects mainly older operating systems, such as Windows XP and Windows Server 2003. As a response to the attack with WanaCrypt0r 2.0, Microsoft decided to release security patches for some of its unsupported operating systems. This is a highly unusual step, as Microsoft normally does not release security patches for “retired” operating systems. Normally, the company provides support to organizations using old operating systems only if they pay fees for “custom support.”
The WanaCrypt0r 2.0 attack indicates a pressing social need for governmental regulations obliging developers of old but widely used software products to provide the users of such products with continuous security updates. Without such regulations, companies quickly “retire” their software products to sell their new products. Many users get used to old versions of software and do not want to install new versions because of the time necessary to learn how to use them effectively. Obviously, the governments need to find a balance between the interests of software producers and the entire society. In this regard, it is worth mentioning that WanaCrypt0r 2.0 affected critical facilities, such as Britain’s National Health Service, Deutsche Bahn AG (a German railway company), FedEx Corporation (an international courier delivery services company), the Ministry of Internal Affairs of Russia, the Ministry of Foreign Affairs of Romania, NHS Scotland (the publicly funded healthcare system of Scotland), Russian Railways, and Saudi Telecom Company. A simple regulation obliging software producers of popular operating systems might have prevented the attack. As Paul Lipman, chief executive of the cybersecurity firm BullGuard, noted: “This was a completely preventable attack — to the extent that organizations have comprehensive patching systems in place.”
Considering the global scope of the attack, inter-governmental cooperation may be the key to addressing the challenges posed by the lack of security updates in widely used software products. We note the existence of at least twelve international entities that may have a role in addressing those challenges, namely, the Cooperative Cyber Defense Centre of Excellence, Council of Europe, the European Union, the European Network and Information Security Agency, G8 Subgroup on HighTech Crime, IMPACT, INTERPOL, the International Telecommunication Union (ITU), NATO, the Organization for Economic Co-operation and Development (OECD), the United Nations Office on Drugs and Crime (UNODC), the World Summit on the Information Society (WSIS), and the Organization of American States (OAS).
Europol noted that WanaCrypt0r 2.0 was unprecedented in scale. Governments, computer users, software producers need to act collectively to prevent such high impact attacks in the future. More specifically, governments need to stop providing criminals with sophisticated malware which can be used to target their own citizens, adopt laws and regulations obliging software producers to regularly provide users of old but widely used software with security updates, and raise the information security awareness of their citizens.
Computer users need to adopt and enforce comprehensive anti-phishing policies aiming to reduce the risk of social engineering attacks to the maximum possible extent.
Software developers need to continue providing security updates for popular versions of their software. Furthermore, developers of anti-virus software need to protect the users of their software not only on the basis of pre-existing lists of malware but also on the basis of identification of malicious behavior.
- Abolhassan, F., ‘Cyber Security. Simply. Make it Happen.: Leveraging Digitization Through IT Security’, Springer, 2017.
- Allsopp, W., ‘Advanced Penetration Testing: Hacking the World’s Most Secure Networks’, John Wiley & Sons, 2017.
- Antonucci, D., ‘The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities’, John Wiley & Sons, 2017.
- ‘Anti-Phishing Policy – 2015’, Baroda Rajasthan Kshetriya Gramin Bank. Available at http://brkgb.com/wp-content/uploads/2013/03/BRKGB-Anti-Phishing_-website_version-.pdf.
- Brotherston, L., ‘Defensive Security Handbook: Best Practices for Securing Infrastructure’, O’Reilly Media, Inc., 2017.
- Choucri, N., Madnick, S., Koepke, P., ‘Institutions for Cyber Security: International Responses and Data Sharing Initiatives’, Massachusetts Institute of Technology. Available at http://web.mit.edu/smadnick/www/wp/2016-10.pdf.
- ‘Computer Security Incident Handling Guide’, U.S. National Institute of Standards and Technology. Available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.
- ‘Customer Guidance for WannaCrypt attacks’, Microsoft, 12 May 2017. Available at https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/.
- Fox-Brewster, T., ‘An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak’, Forbes, 12 May 2017. Available at https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/#344a231fe599.
- Hern, A., ‘How to protect your computer against the ransomware attack’, The Guardian, 16 May 2017. Available at https://www.theguardian.com/technology/2017/may/15/windows-xp-patch-wannacry-ransomware-wecry-wanacrypt0r.
- Hood, S., ‘How do you recover from a spear phishing attack?’, The Telegraph, 25 June 2014. Available at http://www.telegraph.co.uk/men/the-filter/10892090/How-do-you-recover-from-a-spear-phishing-attack.html.
- Scott, M., Wingfield, N., ‘Hacking Attack Has Security Experts Scrambling to Contain Fallout’, The New York Times, 13 May 2017. Available at https://www.nytimes.com/2017/05/13/world/asia/cyberattacks-online-security-.html.
- ‘The Complete Guide to Runtime Malware Defense’, Barkly. Available at https://www.barkly.com/what-is-runtime-malware-defense?_ga=2.152076345.1401131454.1494930372-853889451.1494930244.
- ‘WannaCry ransomware attack’, Wikipedia. Available at https://en.wikipedia.org/wiki/WannaCry_ransomware_attack.
Wong, J.C., Solon, O., ‘Massive ransomware cyber-attack hits nearly 100 countries around the world’, The Guardian, 12 May 2017. Available at https://www.theguardian.com/technology/2017/may/12/global-cyber-attack-ransomware-nsa-uk-nhs.
“Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master’s degree in IP & ICT Law.”