Ransomware, Windows XP and the NSA leak that started it all
While we scramble to manage the global spread of antibiotic resistant superbugs, another form of superbug has struck the world's hospitals. This digital superbug has frozen access to patient data systems, caused ambulances to be diverted and rendered MRI, CT and ultrasound devices temporarily inoperable. In the wake of this recent global cyberattack we are left asking, how did this happen and can we stop it happening again?
On Friday May 12 the world was struck by an unprecedented ransomware cyberattack infecting, at the time of writing, over 230,000 computer systems across 150 countries (and rising). Dubbed "WannaCry," the ransomware gains control of a victim's system and then encrypts most of its key data. A ransom note then appears on the victim's screen indicating they have three days to pay US$300 in bitcoin. The ransom is doubled after three more days and the encrypted files are then reportedly deleted after seven days if the payment is not made.
Within hours of the ransomware being launched, a cybersecurity specialist who blogs under the name "MalwareTechBlog" discovered the code made a query to an unregistered domain name. The specialist quickly registered the domain, initially as part of a process used to track these types of malware. Soon after registering the domain it was discovered that this had unknowingly killed the ransomware, as the domain was coded into the malware as a kill-switch, stopping its spread once it went live.
As expected, in the intervening days, several new variants of the ransomware appeared. Most featured similar kill-switch domains that were quickly blocked, but reports do indicate that new variants with no kill-switch have started appearing. This dramatic attack on the world's computers is by no means over, with organizations bracing for another wave of infections, but how did this even happen in the first place?
Earlier in the year a group of hackers, calling themselves The Shadow Brokers, leaked a large cache of software exploits it had stolen from the National Security Agency (NSA). One of the exploits, called EternalBlue, honed in on a Microsoft Windows vulnerability.
Microsoft flagged the vulnerability and released a patch to fix it a month before the hackers publicly released the exploit data, but a major problem remained. While the security patch covered Windows Vista, 7 and 8.1, Microsoft had ceased support cycles for earlier versions of their popular operating system, including the still widely used Windows XP.
It was here that the WannaCry exploit made its largest impact. Scores of major companies around the world still operate on older Windows systems. NHS hospitals in Britain were hit by the malware; French carmaker Renault was forced to stop production at several sites; ATMs in China went offline; and 18 police units in India had their records frozen.
Microsoft quickly moved on the front foot and issued security patches for older, unsupported systems but the chaos caused many to ask why vital government systems such as the NHS in Britain were still running on an outdated operating system.
An investigation from Motherboard in September 2016 presciently saw this calamity on the horizon and revealed the extent of the problems faced by the NHS in Britain running outdated, unsupported Windows XP systems. Thousands of computers were found to be running on the vulnerable operating system and one hacker group even commented to Motherboard: "We like to imagine even updated Windows XP platforms [are] like an unlocked Honda Civic from the 1980s."
Many large entities still using these old systems obviously can capitalize from cost-cutting measures in not paying Microsoft for updated system support. In 2015 The Guardian noted that the UK government ended its deal with Microsoft to extend continuing support and updates for its Windows XP systems. The agreement was costing £5.5 million pounds per year.
The controversy is already topping British headlines with some pointing out that the underfunding of the Department of Health is what led to it being forced to run such an outdated and vulnerable operating system.
As we move into a rapidly aging digital world this ransomware attack raises a compelling catch-22. No one can reasonably expect a company like Microsoft to continually update old systems but large corporate and government entities obviously don't have the financial or operational resources to maintain updated systems either. Bureaucracy moves especially slowly – is anyone really surprised that many of Britain's hospitals run on a 15 year-old, unsupported operating system?
In a statement from Microsoft's president and chief legal officer, Brad Smith, the finger was explicitly pointed towards governments, particularly the NSA, in holding great responsibility for these exploits in its software being allowed to remain unpatched. Smith writes that it's the government's stockpiling of these exploits, and subsequent leaking, that is causing widespread damage.
In the startlingly frank statement, Smith for the first-time clarified that this exploit was in fact discovered and contained by the NSA, and it was its lack of disclosure of the vulnerability that indirectly caused this catastrophe.
"The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world," Smith writes.
Edward Snowden also reiterated Smith's objections tweeting, "If [the NSA] had privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, this may not have happened."
Many are suggesting a global call to classify these types of cyber-exploits in the same way we consider chemical or nuclear weapons. In fact, in February, Microsoft put out the call to establish what they termed a "Digital Geneva Convention." This would require governments to report these vulnerabilities, instead of sell, stockpile or exploit them.
But where do we go from here?
The WannaCry ransomware catastrophe is not nearly over, and it looks to be the first blast in a new phase of cyberwar that highlights how easy it is to disable such a broad spread of the world's systems. When a small malware ransom is cheaper for an organization than comprehensively updating to new systems and support, you know the world is faced with a major dilemma.
Governments hoarding exploits, hackers stealing them, and the outdated operational systems that keep our cities running are constantly vulnerable.
This latest ransomware catastrophe has affirmed that we have a major problem, but where the solution lies, and whose responsibly it is to fix it, is going to be argued over for some time to come.