Computers

Ransomware, Windows XP and the NSA leak that started it all

Ransomware, Windows XP and the...
With the latest ransomware cyberattack disabling computers all over the globe we ask, how did this happen and what can be done to stop it in the future?
With the latest ransomware cyberattack disabling computers all over the globe we ask, how did this happen and what can be done to stop it in the future?
View 5 Images
Within a day of being released this graph was produced by SecureList/Kaspersky showing the global spread of the ransomware
1/5
Within a day of being released this graph was produced by SecureList/Kaspersky showing the global spread of the ransomware
The screen that comes up after your system has been infected with the WannaCry malware
2/5
The screen that comes up after your system has been infected with the WannaCry malware
Edward Snowden tweeting the government's role in this incident
3/5
Edward Snowden tweeting the government's role in this incident
Twitter post showing the WannaCry ransomware infecting Germany's major train operator
4/5
Twitter post showing the WannaCry ransomware infecting Germany's major train operator
With the latest ransomware cyberattack disabling computers all over the globe we ask, how did this happen and what can be done to stop it in the future?
5/5
With the latest ransomware cyberattack disabling computers all over the globe we ask, how did this happen and what can be done to stop it in the future?

While we scramble to manage the global spread of antibiotic resistant superbugs, another form of superbug has struck the world's hospitals. This digital superbug has frozen access to patient data systems, caused ambulances to be diverted and rendered MRI, CT and ultrasound devices temporarily inoperable. In the wake of this recent global cyberattack we are left asking, how did this happen and can we stop it happening again?

On Friday May 12 the world was struck by an unprecedented ransomware cyberattack infecting, at the time of writing, over 230,000 computer systems across 150 countries (and rising). Dubbed "WannaCry," the ransomware gains control of a victim's system and then encrypts most of its key data. A ransom note then appears on the victim's screen indicating they have three days to pay US$300 in bitcoin. The ransom is doubled after three more days and the encrypted files are then reportedly deleted after seven days if the payment is not made.

The screen that comes up after your system has been infected with the WannaCry malware
The screen that comes up after your system has been infected with the WannaCry malware

Within hours of the ransomware being launched, a cybersecurity specialist who blogs under the name "MalwareTechBlog" discovered the code made a query to an unregistered domain name. The specialist quickly registered the domain, initially as part of a process used to track these types of malware. Soon after registering the domain it was discovered that this had unknowingly killed the ransomware, as the domain was coded into the malware as a kill-switch, stopping its spread once it went live.

As expected, in the intervening days, several new variants of the ransomware appeared. Most featured similar kill-switch domains that were quickly blocked, but reports do indicate that new variants with no kill-switch have started appearing. This dramatic attack on the world's computers is by no means over, with organizations bracing for another wave of infections, but how did this even happen in the first place?

Within a day of being released this graph was produced by SecureList/Kaspersky showing the global spread of the ransomware
Within a day of being released this graph was produced by SecureList/Kaspersky showing the global spread of the ransomware

Earlier in the year a group of hackers, calling themselves The Shadow Brokers, leaked a large cache of software exploits it had stolen from the National Security Agency (NSA). One of the exploits, called EternalBlue, honed in on a Microsoft Windows vulnerability.

Microsoft flagged the vulnerability and released a patch to fix it a month before the hackers publicly released the exploit data, but a major problem remained. While the security patch covered Windows Vista, 7 and 8.1, Microsoft had ceased support cycles for earlier versions of their popular operating system, including the still widely used Windows XP.

It was here that the WannaCry exploit made its largest impact. Scores of major companies around the world still operate on older Windows systems. NHS hospitals in Britain were hit by the malware; French carmaker Renault was forced to stop production at several sites; ATMs in China went offline; and 18 police units in India had their records frozen.

Twitter post showing the WannaCry ransomware infecting Germany's major train operator
Twitter post showing the WannaCry ransomware infecting Germany's major train operator

Microsoft quickly moved on the front foot and issued security patches for older, unsupported systems but the chaos caused many to ask why vital government systems such as the NHS in Britain were still running on an outdated operating system.

An investigation from Motherboard in September 2016 presciently saw this calamity on the horizon and revealed the extent of the problems faced by the NHS in Britain running outdated, unsupported Windows XP systems. Thousands of computers were found to be running on the vulnerable operating system and one hacker group even commented to Motherboard: "We like to imagine even updated Windows XP platforms [are] like an unlocked Honda Civic from the 1980s."

Many large entities still using these old systems obviously can capitalize from cost-cutting measures in not paying Microsoft for updated system support. In 2015 The Guardian noted that the UK government ended its deal with Microsoft to extend continuing support and updates for its Windows XP systems. The agreement was costing £5.5 million pounds per year.

The controversy is already topping British headlines with some pointing out that the underfunding of the Department of Health is what led to it being forced to run such an outdated and vulnerable operating system.

As we move into a rapidly aging digital world this ransomware attack raises a compelling catch-22. No one can reasonably expect a company like Microsoft to continually update old systems but large corporate and government entities obviously don't have the financial or operational resources to maintain updated systems either. Bureaucracy moves especially slowly – is anyone really surprised that many of Britain's hospitals run on a 15 year-old, unsupported operating system?

In a statement from Microsoft's president and chief legal officer, Brad Smith, the finger was explicitly pointed towards governments, particularly the NSA, in holding great responsibility for these exploits in its software being allowed to remain unpatched. Smith writes that it's the government's stockpiling of these exploits, and subsequent leaking, that is causing widespread damage.

In the startlingly frank statement, Smith for the first-time clarified that this exploit was in fact discovered and contained by the NSA, and it was its lack of disclosure of the vulnerability that indirectly caused this catastrophe.

"The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world," Smith writes.

Edward Snowden also reiterated Smith's objections tweeting, "If [the NSA] had privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, this may not have happened."

Edward Snowden tweeting the government's role in this incident
Edward Snowden tweeting the government's role in this incident

Many are suggesting a global call to classify these types of cyber-exploits in the same way we consider chemical or nuclear weapons. In fact, in February, Microsoft put out the call to establish what they termed a "Digital Geneva Convention." This would require governments to report these vulnerabilities, instead of sell, stockpile or exploit them.

But where do we go from here?

The WannaCry ransomware catastrophe is not nearly over, and it looks to be the first blast in a new phase of cyberwar that highlights how easy it is to disable such a broad spread of the world's systems. When a small malware ransom is cheaper for an organization than comprehensively updating to new systems and support, you know the world is faced with a major dilemma.

Governments hoarding exploits, hackers stealing them, and the outdated operational systems that keep our cities running are constantly vulnerable.

This latest ransomware catastrophe has affirmed that we have a major problem, but where the solution lies, and whose responsibly it is to fix it, is going to be argued over for some time to come.

20 comments
Willibald
Hospitals, use linux. It's free and secure.
usugo
every affected organization should sue the NSA/USA government
MarcJackson
The only major platform that had security issues is Microsoft, eliminate that from your network and the problem disappears. The London stock exchange was tricked into developing a new trading platform based on windows and the day it went live was the only day it never traded. I've worked on the largest commercial Unix systems and we never have these issues, London stock exchange is now using a Linux system as they should have all along.
Brian M
Of course no-one is mentioning the other important factors (as in most crimes for gain), how the criminal receive their ransom money without being detected. All governments have to do is ban the use of untraceable crypto currencies - would dramatically reduce the profitability of these attacks. It might be argued that you can't control crypto currencies, but you can very easily with this type of transaction by blocking the means of buying the currency i.e. at the point of exchange via credit card etc.
VincentBrennan
LINUX will be a very temporary fix. As soon as enough systems are using it the hackers will figure out a way to attack it. Same with Apple. Apple users used to brag it was not hackable. Then it got big enough or the hackers saw a challenge and some were hacked. LINUX will be next in line, especially if big organizations keep using it. XP was my favorite system. I used it right to the end and will never forgive MS for deserting it. They could have supported it for a fee. Nobody expected free support but they made more money on newer, often bad, systems. If one group can write an operating system another group can attack it....that is how war is. The U.S. and U.S.S.R. developed huge nuclear weapons systems. Neither country has ever learned how to fight a smaller insurgency. Cyberwar is a classic insurgency.
Douglas Jack
The other end of the problem is encrypted digital currencies like Bitcoin used to secretly transfer the 300$ of 'money' (Greek 'mnemosis' = 'memory'. During humanity's peaceful, productive & abundant 100s of 1000s of years of 'indigenous' (Latin 'self-generating') period, String-shell (Wampum, Quipu, Cowrie-shell) time-based accounting value systems were based in the 100 person Multihome-Dwelling-Complex (Longhouse/apartment, Pueblo/townhouse & Kanata/village) Domestic 'economy' (Gk 'oikos' = 'home' + 'namein' = 'care-&-nurture') & in Production-Society/Guild domestic, industry & commercial economies. 70% of humanity today live in multihomes. 100 person multihomes provided privacy & proximity for intergenerational, female-male collaboration. Multihomes represent intimate yet powerful critical-mass, economies-of-scale economies doing many millions of dollars worth of domestic caring, healing, feeding, plumbing etc 'business' ('busy-ness') per year. Such collective cultivation of specialized professional capacities meant that everyone young & old, handicapped & abled was born into a large 'corporation' (L 'corp' = 'body') with access to creative-capacities & protections. https://sites.google.com/site/indigenecommunity/relational-economy/extending-our-welcome-participatory-multi-home-cohousing Everyone was an owner, progressively over the course of their lifetimes from young apprentice to elder master. String-shell integrated: Capital (decision-making), Currency (compensation), Condolence (social-security), Collegial mentored-apprentice education, Math-based communication, Costume of professional identity & other value functions into one integrated accounting system. https://sites.google.com/site/indigenecommunity/relational-economy/8-economic-democracy While string-shell worldwide, such as Turtle-Island (North-America)'s Wampum, Esnoguay, Seewan, Kayoni etc. was manufactured in major centers such as New-York's Long-Island using the Quahog shells, it was issued in relation to work performed by the Production-Society/Guilds. During the indigenous period such world-system 'money' was the original foundation of 'kingdoms' ('kin' = 'family') as part of a 'fractal' ('building-block' where the 'part-contains-the-whole') intimate to internationalism. With colonial plunder such as the Crusades, 'kings' who were once leaders of their Guilds, perverted 'money' as a universal labour value, to dominate 'community' (L 'com' = 'together' + 'munus' = 'gift-or-service'). Oligarchs analysing this systematic theft, put themselves into the position of controlling the Finance-Media-Education-Military-Industrial-Legislative-Complex. https://sites.google.com/site/indigenecommunity/structure/5-collaborative-language It is only during the plunder, rape & genocide of the last 7000 years of 'exogenous' ('other-generated') colonialism that; oligarch directed institutional state thieves & murderers have gained control of the world's 'financial' (French 'fin' = 'end' as to 'conclude-deals') metal coin 'money' & other aspects of our economic systems. The anonymity of colonial 'money' & bitcoin is a violent affront to gentle intimate fractal worldwide human 'value' systems. It is time for humanity & bitcoin to grow-up past the inherent violence of anonymous plunder & become intimate fractal responsible systems of mutual-aid, once again. https://sites.google.com/site/indigenecommunity/relational-economy
Chaostheory
So what this article is actually saying is that Microsoft is the real ransomware. I've said this for years as they force you to pay full price for an update by not supporting a later version. I paid for 95,98,Xp,7,8 with no real benefits except directx and capacity limits.
Grumpy
NOTHING is perfect but I would rather take my (rational) chances with *nix than use Windows. For Microsoft to claim that the problem is elsewhere (eg governments, criminals) rather than in their software )which over decades has been the source of many problems) is simply BS. Perhaps governments should outlaw the licenses that basically try to absolve software vendors of responsibility.
EUbrainwashing
Would it be a good idea if the government did not hold system exploits in such a place where hackers can find them? I know, let us ask a random selection of four year olds their opinion. I wonder what they will say, big tractor, nice puppy or not on a drive linked to the internet. It would appear rather obvious to me. Too totally obviously not a good idea. If these files are being collected by people who have some sort of understanding about what they are doing, else why are they doing the job, so how is it not reasonable to believe that what we are being told here is not the whole truth of the matter. Indeed a thing called a big fat lie. I say, on the balance of probability, we are being told an obvious, glaring, smack in the face, lie. So if we are being told a lie why would that be? We can see that what is being magicked up is a 'problem' and if that is so it would be done in order to provoke a 'reaction', of some sort. The reaction is fear, concern that our valuable computers and data within could be harmed causing inconvenience and risking its destruction. So what is the 'solution' we are being offered simultaneously? Buy new OS for our computers, accept that government must spend vast sums on new IT kit to be able to keep up-to-date and - to every one else - update your computer on a regular basis. OK so let us wind back here and put this together; we are being played with two of the oldest tricks, 1/. the idea that the government is utterly incompetent so we believe any story if it confirms that notion and 2/. the, so called, Hegelian dialectic: problem, reaction and solution to manipulate the public. If it was not the NSA I would have a modicum less disbelief but when this 'story' centres around the agency that wants to have its eyes and ears into our every digital correspondence already, I say: come on, really, do you really believe all this piffle. This was all apparently solved by some 19 year old surfer dude by luck and now he has got a job in government. Yup. And I have got a bridge to sell you buddy.
Kenlbear2
Article fails to mention that NSA only published exploit. They did not write ransomware code. Also, ransom is payable only in Bitcoin.