Countries around the world, including the U.S., are managing the spread of vicious ransomware on Saturday after the WanaCrypt0r virus brought much of global technology to a standstill on Friday. The malware hit 74 countries, impacting British hospitals, Germany’s rail network, and a Spanish telecom. U.S.-based FedEx apologized for any inconvenience to customers as the massive shipping company recovered from the attack.
While users scramble to address the current hole in security, the extent of the attack also raises larger questions. In the U.S., one question is how intelligence agencies such as the NSA – which apparently supplied one of the tools used by the group behind the attack – handle security flaws under President Trump’s administration.
What just happened?
Ransomware, like WanaCrypt0r, is a money making operation, which prevents machines from full functionality until a ransom is paid. WanaCrypt0r is attacking machines at random and creating new infections at extremely rapid pace.
Security experts argue that “attack” is a bad term to describe this outbreak, because it implies that the targets were chosen intentionally. But the ransomware is not discriminating between machines; any susceptible network is being hit.
{mosads}
Kaspersky Lab and Avast, two antivirus manufacturers, each reported having seen tens of thousands of infections by midday Friday. That number is now likely much higher. Kaspersky calculated computers were infected in 74 countries. Other estimates have gone as high as 99 countries.
Why are so many systems infected?
The ransomware, alternately known as WanaCrypt0r, Wanna Decrypt, WCry and Wanna Cry, is particularly effective in part because it uses a hacking tool apparently stolen from the NSA.
That tool, called EternalBlue, takes advantage of a security flaw that Windows Microsoft patched in March. Many businesses, organizations and people are slow to update their computers. It can be a particular problem in businesses and organizations because of the scale of the operation to update large networks and the fact that niche business software sometimes becomes unstable with new updates.
Systems updated after the patch came out in March were protected.
Why would criminals have access to NSA hacking tools?
A leaker or leakers calling themselves the ShadowBrokers released EternalBlue and a bevy of other alleged NSA hacking tools that relied on previously unknown, unpatched security problems in hardware and software.
It is not entirely clear how the ShadowBrokers first got their hands on the tools – theories range from an internal leak to a Russian group trying to hint American intelligence should back off.
The group ShadowBrokers first appeared in August, claiming it had stolen tools from the Equation Group, a legendary espionage operation rumored to be affiliated with the FBI. The Brokers announced they had the tools and offered to auction them off.
Despite releasing proof that the documents were real, the Brokers failed to drum up much business. The group proposed an auction where all interested buyers paid their highest bid upfront, the top bidder got the tools and no one else got a refund. They said the auction had no fixed end date; someone would win when they felt like they won enough money.
In January, the group gave up, only to resurface in April dumping EternalBlue and other Windows tools in what they said was a protest against Trump becoming more of a centrist than a right wing politician.
What’s next for manufacturers and the NSA?
Though Microsoft had already patched the problem in March – the month before the Brokers leaked EternalBlue – on Friday the software giant released new WanaCrypt0r updates for the Windows Defender antivirus program that ships with Windows.
On Saturday, Microsoft announced it had developed patches for operating systems like Windows XP that were so out of date that the company normally no longer updates them.
The issue of how to secure NSA tools is a little thornier.
{mosads}
The NSA and all government agencies are supposed to use the “Vulnerability Equity Process” to determine which computer security flaws are kept for hacking operations and which reported to manufacturers for repair.
During President Obama’s administration, the process was known but not transparent. Agencies had to operate under the presumption manufacturers would be notified. If an agency wanted to keep a vulnerability to itself, it had to argue its strategic advantage before a third party panel.
It is unclear how well agencies followed this directive during the Obama administration and how they operate under Trump’s new administration. The process was an executive branch rule, not a legislated policy.
Now, legislators including Rep. Ted Lieu (D-Calif.), are looking to codify the Obama-era process and make it more transparent.
This is a balancing act; the more the government lets vendors patch their wares, the safer the public is from cyberattack, but the less intelligence spies and law enforcement can gather.
How do users protect themselves against this and other threats?
Experts generally agree that the most important step most users can take, substantially more important than owning antivirus protection, is to keep all software up to date all the time.
Most ransomware works by encrypting files and charging users for the decryption key. If users regularly back up files, this tactic won’t be as effective.