You can imagine as an IT company, the cyber attack that successfully encrypted information in 150 countries over the weekend was a hot topic in our Monday morning meeting. The impact was still unfolding as we discussed mechanics of the attack, the implications of the mechanics, and how our clients would be affected. There was a lot of technical jargon thrown around and speculation about the facts, but the underlying feeling was that this attack has changed the game for cyber security. But first, let’s make sure we get the facts straight.
If your computer was connected to the internet on Friday, May 12 and operating on a Windows system that wasn’t updated with the latest patches, you stood a chance of getting hit. Countries with high usage of pirated software and outdated versions of Windows were most severely affected for that very reason. In this article, BBC World News covers the totals from countries with the most affected computers, highlighting Russia as the primary target and China as the most affected with over 30,000 institutions and organizations infected. And as I’m sure you’ve heard, the most life-threatening attack was locking down UK hospitals. In total, more than 200,000 computers were affected in over 150 countries. The spread of this ransomware in a matter of days around the world is unprecedented, but there were some very puzzling things about how it was set up and how it started.
While the ransomware was very effective in the time that it was active, its own design quickly led to its failure. A piece of code that was intended to keep it from being detected was the very thing that a 22 year old British security researcher used to unwittingly stop it in its tracks. You can read his far more technical explanation here. Overall, the design of the ransomware itself was surprisingly amateur.
The attackers did not set up hotlines to persuade victims to pay the ransom. And as far as researchers can tell, there were only three bitcoin wallets set up and no one has emptied the minimal sum of $50,000 from the wallets paid as of May 16, according to Business Insider. They were not prepared to handle bitcoin payments based upon such a wide distribution.
Researchers understand that once one computer was infected in each network, the ransomware used a vulnerability in outdated Microsoft Windows that allows the ransomware “worm” to spread from one device to another very rapidly. However, what they are having a hard time finding is the source in each system. A few emails with the ransomware have been found, but it is clear that it did not take many to spread the worm worldwide with very little assistance from users. Without being able to tell how it started, it makes it much harder to stop similar future attacks.
Stopping another attack of this magnitude could be very difficult in the future because it does not appear to rely on users doing much of anything to spread like wildfire. Microsoft has called this a wake-up call for Windows users around the world and we agree 100%! While this particular version of ransomware was poorly designed, it is only a matter of time before a smarter, more sophisticated cyber criminal utilizes the same technique with better success. We cannot continue to ignore the need to proactively protect our network environments.
So while it becomes harder and harder to trace and stop the attacks themselves, there are plenty of tools and services out there that you can take advantage of to protect your computers and networks. We call this a layered security approach and it is how we protect our clients from attacks on a daily basis. For example, one layer is keeping up to date on the latest version of Windows. Our team makes sure your computers are updating on a regular basis. Another layer is Sonicwall’s active next-generation firewall security services, which basically means a very smart firewall that adapts to the latest threats. You can read here about how Sonicwall was preparing for such an attack as this since April 2017 and responded quickly on May 12, 2017 with additional support.