Lesson learned from WannaCry

WannaCry ransomware attack managed to catch a lot of attention back in May due to large coverage and prominent targets inside health care organizations, freight and transportation vendors. Other than high impact it looks like fairly common ransomware cyber-attack. A piece of malicious code is executed on a target computer, valuable files get encrypted and a message is displayed with instructions on how to get the files de-crypted and accessible again by paying a ransom.

wannacryOne thing that remains unclear is the attacker’s intent. Large target base means massive attention and high probability of the scheme backfiring assuming that collecting highest possible ransom amount was indeed the goal. Because of this many commentators contested the idea that money making was the primary purpose of the operation or even the goal at all. The reported $130k ransom paid in total is in not an impressive amount for such a large scale attack which together with the fact that only 3 fixed Bitcoin account were attributed to the attack further supports the notion of non-monetary goal.

Some speculated that the United States National Security Agency or US Government in general was the target. While not directly attacked by the software they might have been an indirect target and the purpose was to damage public trust and image reputation of the government agencies. There are two factors supporting this argument. First is the NSA non-disclosure of the underlying vulnerability in Windows SMB (Server Message Block) file access protocol which was critical for the malware to work. The other one is related to the fact that the NSA allegedly lost control of one of the attack tools called EternalBlue. Based on these two factors a conclusion could be drawn that the NSA and other government agencies seek vulnerabilities in computer software, develop tools to exploit them to eventually spy on innocent people. While being a long shot it matches certain notions of government as a solely malicious and oppressive force which often get viral.

All this may sound like the computer fate was sealed once targeted. Except it’s not true. Microsoft Corporation, the Windows operating system family vendor issued a critical patch back on March 14, nearly 2 months before the attack took place giving it more than enough time to update the operating system where the patching process has been managed properly. It’s worth to mention that the operating system patching process in larger organizations is a little bit more complicated and can’t be fully automated as it is on personal computers where you can just set it to install the updates automatically and forget about it.

Since patching, which essentially is replacing system files with newer versions requires some processes, services or entire system restart it needs to be done in a coordinated way in order to avoid productivity loss. Additionally each patch means a change in the infrastructure which needs to be properly executed by running a pilot patching pass and verifying functionality after the patch. This process could only be automated to a certain degree and could be resource intensive. As the attack result shows many large organizations failed to patch their computers in time.

The lesson learned from the attack is simple. When a software vendor you’re using issues a critical patch they mean it. Security comes ahead of comfort of not restarting the computer unless specified otherwise. Otherwise your organization risks the safety of the operations and public image dents by earning id badges saying ‘relaxed IT security applied here’.