We learned a long time ago that giving names to fast-moving security threats is a great way to raise awareness and alarms. That virulent code exploiting holes in Microsoft SQL Server became “SQL Slammer.” The malicious code exploiting MS08-067? Just call it “Conficker” (or “Downadup” or “Kido”). This works even in the absence of specific threats. Slapping the name “Heartbleed” on an obscure hole in OpenSSL did wonders for its public image.
The problem is that names can just as often draw attention away from the real problem (or problems) and to the thing that has the name. I worry that this is what is happening with the latest Internet contagion, which everyone has referred to as “WannaCry,” a friendly variation on “WanaCryptor,” the name of a piece of down market ransomware that was strapped to the rocket ship known as EternalBlue, a highly effective exploit of a vulnerability in Microsoft’s implementation of Server Message Block (SMB), a key networking component of Windows, that allows attackers to execute arbitrary code on a target computer.
What difference does it make what we call the attack? A lot of difference, actually.
WannaCry was a poorly implemented ransomware hack with a trivial kill switch that security researchers discovered early and used to stop the spread of the malware in its tracks. The Wannacrypt ransomware lacked even a polished payment module, making it almost impossible for the cyber criminals to know who was paying them and sending a message to victims that paying the ransom probably wouldn’t bring their data back. The result? With an estimated 200,000 infections globally, the criminals behind WannaCry were in line to receive around $60 million in ransom if every victim paid the estimated $300 ransom. As of Thursday, three Bitcoin wallets tied to the malware have registered just under $83,000 in payments. And even that money may be out of reach for those behind the attacks.
“This has to be one of the most poorly thought-out ransomware attacks we’ve seen,” Craig Williams, the Senior Technical Leader a Cisco’s Talos told me.
But EternalBlue, the exploit that spread WannaCry, is another story, as is DoublePulsar, the backdoor that allowed cyber criminals to plant the ransomware on compromised machines undetected. Those hacking tools were prized property of U.S. intelligence, stolen and then leaked by a group known as Shadow Brokers.
Leaked as part of a dump of NSA hacking tools in April by a group known as Shadow Brokers, both were highly versatile and astoundingly effective. EternalBlue worked across a wide range of Windows systems, going all the way back to Windows XP, and hacking groups around the world, not to mention state intelligence agencies, set upon the dump: extracting the underlying exploits from the hacking tools and then using them for their own purposes. Sean Dillon of the firm RiskSense said exploits of the kind seen in EternalBlue and DoublePulsar – in components like SMB – don’t come around very often, but are immensely powerful.
And, while Microsoft had patched the holes exploited by EternalBlue and DoublePulsar, those patches were only a few weeks old, meaning that most organizations hadn’t gotten around to applying them. That’s in contrast to prior threats, like Conficker, which appeared months after the hole it exploited had been patched. And, with the attacks this weekend, patches for unsupported operating systems like Windows XP and Windows 2003 were made available only after the attacks began.
In industries burdened with legacy hardware and software, such as healthcare, the effect of the attacks was particularly severe. Britain’s National Health Service was badly affected. Hospitals had been warned to apply critical patches, but hadn’t gotten around to it. Telecommunications, education, utilities and government were 4 of the top 5 industries most affected by WannaCry, according to data from the firm BitSight.
WannaCry did make us all wanna cry – out of frustration, if nothing else. Clever name aside, however, continuing to talk about the WannaCrypt malware is a mistake. We take our eye off the ball, which is the endemic problems, like the difficulty that most companies have keeping their software up to date or blocking external access to sensitive services like SMB. Rather than wondering about whether or not to pay, organizations should scrutinize their data backup and disaster recovery procedures and tools to make sure that they can get back up and running in the wake of an infection.
There’s evidence that policy makers are asking hard questions about the government’s patching protocols and their ability to respond to threats like WannaCry and – more importantly – like EternalBlue and DoublePulsar. Let’s hope they get answers and that the trend of asking hard questions about hard problems extends outside of government, also!
