WannaCry comes before gonna cry

Above: Ransomware illustration by nicescene/DepositPhotos.

Originally published in the Trinidad Guardian on May 18, 2017

The WannaCry Ransomware exploit began on May 12, 2017 and quickly went global. It is estimated to have infected 230,000 computers in 150 countries, with the worst hit countries believed to be Russia, Ukraine, India and Taiwan.

The exploit struck several major institutional services as well.

Ransomware is usually executed through phishing emails, which promise users something and use their click through as a vector to install malicious code.

WannaCry (officially WannaCrypt) has not been proven to have executed through phishing and was developed from an exploit (EternalBlue) and backdoor (DoublePulsar) developed by the National Security Agency (NSA) in the United States.

The digital weapon was accessed during a hack on the NSA and the code formed the basis of the WannaCry exploit which targets vulnerabilities in Windows.

Microsoft issued a critical patch on March 14 that removed the vulnerabilities on current versions of the OS, but some users and organisations had not applied it.

Many of the affected older organisations were running older versions of Windows which are unsupported by Microsoft, though the company has since issued updates which will harden these older systems against the exploit.

The attack was slowed when a web security blogger registered a domain name he found in the ransomware, which flipped a temporary kill switch on its propogation. Newer versions of WannaCry have been found without the kill switch in the code.

Neil Walsh, UN Chief of Global Programme on Cybercrime noted the release of an early possible fix for the malicious code.

In a Ransomware attack, the code encrypts the computer’s files and issues a demand onscreen for payment to release the files. The fee to unlock WannaCry was US$300 in Bitcoin, a digital cryptocurrency in the first three days or $600 within seven days.

By May 17, 238 payments totalling just over US$79,000 had been transferred. BitCoin addresses, or “wallets” can be viewed publicly, though their owners are anonymous.

Professor Patrick Hosein. Photo by Mark Lyndersay

Professor Patrick Hosein, who has managed the .TT domain for Trinidad and Tobago for more than 25 years, worries that there may not be enough formal tracking of cybersecurity exploits in T&T.

“As far as I know we do not presently collect such statistics for local sites. We do have a CSIRT (Computer Security Incident Response Team) and they may be collecting such data,” he said.

“Several years ago (long before the CSIRT was formed) I had suggested to the UWI that we should form a CERT (Computer Emergency Readiness Team) to assist the local community but I was not taken seriously.”

The US formed its first CERT in 1988 after a major worm attack.

Have WannaCry and other Ransomware attacks hit T&T?

“Yes, users and entities in T&T have been affected by WannaCry and previous instances of ransomware,” said cybersecurity expert Shiva Bissessar.

Bissessar worries that despite the threat and impact of the global exploit, the response in T&T is going to remain slow and measured.

“With the exception of certain sectors, I would say there is a generally immature response to such threats. This can be because of a lack of awareness of the potential impact of how serious an Information Security breach can be direct financial loss and loss of confidence by key stakeholders such as partners, clients, and shareholders.”

Shiva Bissessar. Photo by Mark Lyndersay.

“Information Security risk is seen as an ’IT problem’ and not a risk management issue which has the potential of affecting all aspects of business operations.”

“WannaCry is a significant reminder to organisations to develop formal patch management procedures, incident management plans and business continuity plans.”

“There needs to be a more mature response within local organisations to formulating an Information Security Governance strategy which will cover these and other areas.”

Hosein, who lectures at UWI, worries that “the skills needed to combat skilled attackers are far beyond those required for system administrators.”

“If they were to source skilled resources it would most likely have to come from abroad. At present the UWI does not provide advanced training on Cybersecurity (and not many students are interested in this area).”

And running the .TT domain, Hosein sees a lot of these attacks, which he believes are increasing because of the accessibility of tools and code.

“We have had to continuously make process and code changes to maintain a high level of security. More and more people worldwide (many of my attacks have been from China) are acquiring the tools to launch attacks but defenses have not been moving at the same pace.”

Microsoft has described the incident as a wake-up call to the online community.

“I believe organisations have already hit the snooze button on this wake-up call,” Bissessar said. 

“In this particular instance there were failures at several levels; there was vulnerability in a Microsoft service (SMB), for which, a nation state actor, the NSA, developed an exploit.  The NSA was subsequently hacked and the exploit was leaked into the public domain by a group called Shadow Brokers.” 

A patch was issued by Microsoft earlier in March, however due to; poor InfoSec Governance, inadequate resourcing, the reliance on unsupported legacy OS such as Windows XP, or some combination of all three factors, entities may not have patched their systems resulting in the ability for WannaCry to spread rapidly, wreaking havoc globally.”

“So who exactly needs to ‘wake up’ here?  Should Microsoft make it easier for persons still using unsupported legacy OS such as Windows XP to receive updates; which seems to be readily available for users willing to pay for such extra support beyond the OS lifecycle?”

“Should we seek to form a Digital Geneva Convention to stop nation states from developing such exploits which can be repurposed once in the public domain?  Should we blame Shadow Brokers? Should we blame encryption? Should we blame Bitcoin?”

“Some tend to think that they are not targets of such a threat and can fly under the radar of attackers…after all God is a Trini right?  As the indiscriminate WannaCry attack showed, you don’t necessarily have to be targeted to become a victim.”

“Organisations need to take note of their own responsibility in establishing an Information Security Governance strategy and deal with all of these potential threats going forward from here.”