The WannaCry ransomware is likely to cause more damage before it subsides and the global impact of the attack could be the “new normal” in the cybersecurity game.
Granted it’s a glass-half-full scenario, but our steady road to the Internet of Things means the overall surface area for the attackers to exploit is getting larger by the day. WannaCry’s success highlights a number of issues that makes its job easier.
Ransomware — which works by infecting a computer, locking users out of the system (usually by encrypting the data on the hard drive), and then holding the decryption or other release key for ransom — is not a new phenomenon, but its use has picked up in the past couple of years.
What makes WannaCry especially interesting is that it’s somewhat of a blast from the past.
Flexera Software’s director of security Kasper Lindgaard said that while ransomware attacks were common, WannaCry was “wormable”, which means that once it’s inside a computer it looks to infect other computers to spread itself as far and wide as possible.
The malware taps the server message block (SMB) protocol used by Windows machines to spread out. The SMB protocol is used to communicate with systems over a network, so one compromised machine is all it takes for the infection to take hold, especially if there’s a host of unpatched systems to exploit.
When it comes to managing the fallout, cybersecurity vendor ESET’s senior analyst Nick FitzGerald said isolating the compromised machine as quickly as possible was a must.
“Pulling the plug on the ‘patient zero’ machine is a good start,” he said. “We thought that mass-spreading worms had pretty much gone the way of the dodo, so this has been something of a surprise.”
CrowdStrike Asia-Pacific vice-president of technology Michael Sentonas said that while it was easy to criticise organisations for not patching their systems, updating networks was not easy.
According to Mr Sentonas, patching remains a complex task for enterprises given the volume of vulnerabilities that need to be dealt with on systems.
This so-called “patch fatigue” could explain why so many systems were left vulnerable.
It’s not just updating the core networks that is the problem, the device ecosystem also needs to be brought up to speed.
“Look at the healthcare sector, many hospitals still use Windows XP because they have a large number of other compatible equipment connected to the network,” Mr Sentonas said.
Another worrying aspect, according to Mr Sentonas, is the inability of existing security solutions to detect the malware.
“Over the past 24 hours many security teams in Australian organisations have been rolling out patches and updating their signature files,” he said.
“In some ways nothing has changed in the past 15 years.”
The cyber threat environment isn’t static and as Microsoft president Brad Smith points, out the attack demonstrates the degree to which “cybersecurity has become a shared responsibility between tech companies and customers”. Mr Smith said in a blog post: “As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past.”
These weaknesses will be further magnified in the IoT world, with “jackware” considered the next evolutionary step for ransomware.
Jackware targets the insecure nature of IoT devices, and ESET senior researcher Stephen Cobb warns that rather than lock up your information, the next crop of ransomware could lock up your connected car or home.
“Think of jackware as malicious software that seeks to take control of a device, the primary purpose of which is neither data processing nor digital communications,” he said in a blog post earlier this year.
As the WannaCry attack highlights, the tendency of security agencies to stockpile vulnerabilities can be a problem once the information is out. A similar combination of subterfuge and continued complexity could make IoT the next battleground.
Reader comments on this site are moderated before publication to promote lively and civil debate. We encourage your comments but submitting one does not guarantee publication. We publish hundreds of comments daily, and if a comment is rejected it is likely because it does not meet with our comment guidelines, which you can read here. No correspondence will be entered into if a comment is declined.