In what might ultimately become the largest ransomware outbreak in history, the “Wannacry” or “WanaCrypt0r” ransomware worm has infected over one hundred and fourteen thousand computers worldwide at the time of this writing. Written in twenty-eight languages, it has victimized agencies as diverse as the British National Health Service (NHS), the Russian Interior Ministry, Spanish telecom giant Telefonica, and FedEx. Once installed, Wannacry locks up computer files and demands a three hundred dollar ransom in BitCoin to unlock them, which increases to six hundred dollars over time. Ultimately Wannacry deletes all files if the ransom goes unpaid for seven days. Wannacry is also a worm, so it also scans the local network to find any other vulnerable systems that it can infect. The good news is that a “white hat” hacker – a friendly hacker, so to speak – has slowed the spread of this plague, and minimized the damage for now.
It all started in August 2016. The Intercept reported that a hacking group called “Shadowbrokers” put up an auction for what it claimed were NSA hacking tools. Edward Snowden verified the NSA connection via previously unreleased documents. As stated in another article from The Intercept, in April 2017, Shadowbrokers released another NSA tool box. This time they made the tools, capable of breaking into or remotely controlling Windows computers, freely available. Experts say that the Wannacry worm incorporates one of those tools, codenamed ETERNALBLUE. ETERNALBLUE takes advantage of weakness in Microsoft operating systems which allowed the NSA to take remote control of Windows computers. Microsoft released patches for the ETERNALBLUE exploit in March 2017. But many agencies with few resources for information technology staff do not update their operating systems frequently, and so they have been victimized.
Ransomware, or malware which encrypts files on a computer until the victim pays a ransom, has been around for a long time and is an expensive and annoying experience. Hackers commonly spread ransomware via a process called phishing, in which e-mails are sent to potential victims, enticing them to open an attachment or web link which executes a script and infects their computer. Wannacry is especially dangerous ransomware because it marries itself to ETERNALBLUE code, so that when just one person on a network becomes infected via normal vectors, the ETERNALBLUE code seeks out other vulnerable computers on that network, and infects them as well. Infected machines could even theoretically spread this ransomware across public wifi networks. So what might otherwise be a mere annoyance for NHS or Telefonica or FedEx now becomes hundreds or thousands of computers inaccessible for days or their data lost forever. Organizations all over the world will be wrestling with the fallout from this situations for weeks or months.
Critics, including Edward Snowden, are wagging their fingers at the NSA. They argue that, if the NSA had shared the news of this vulnerability with Microsoft when they first found it, rather than developing code to exploit it for their purposes, Wannacry would have never happened. The same argument exists regarding NSA’s inability to keep their secret weapons out of the hands of criminals. In the age of cyber terrorism sponsored by foreign governments and the ever-present terror threat from Islamic extremists, it makes good sense for the NSA to have their coders banging on every known operating system, looking for vulnerabilities. What the U.S. government must decide is what is the best use of these vulnerabilities once found. As discussed by Epic.org, The government claims that they do an extensive analysis for each vulnerability they find, and either exploit it or reveal it privately to have it fixed, depending on the outcome of that review. The government appears to consider the potential harm of other governments or criminals discovering a vulnerability on their own, but it doesn’t seem that they take into account the likelihood that the weapons developed to exploit those weaknesses will fall into the hands of adversaries. In this case, the review process apparently failed.
Here is the good news. The first is that if you have updated your OS with all available patches, and are running a good up to date anti-virus, you should be safe from this particular storm. If you haven’t updated your OS or your anti-virus, do so immediately. Even if you are still using an unsupported Microsoft operating system, like Windows XP, Microsoft has released a patch for you. The second is that, as reported in The Guardian, a cyber security researcher in the UK has found a kill switch in Wannacry, and has activated it. Upon looking at the program, the researcher found code that checked to see if an Internet domain was registered. The researcher registered the domain, and since then at least some instances of Wannacry have stopped infecting other machines locally. Of course, this doesn’t mean that all cases of Wannacry check the same domain. And the hackers behind Wannacry could certainly modify the application to remove the kill switch or exploit other vulnerabilities in Microsoft operating systems. But the impact is minimized for now.
So, as always, Liberty Nation readers, keep your chin tucked and your dukes up. Always use a quality off-site backup service that stores previous versions of all your files. Always update your operating system as soon as possible. And never, ever, ever, click on links or attachments in your email until you verify that the sender sent you the attachment. Especially if they are from your granny, who undoubtedly knows as much about the Internet as she does about quantum physics.