By: Susan Morrow, May 15, 2017 (08:50 AM)

Is This The End Of The World As We Know It?

Yesterday afternoon, UK time, I received a text message from a friend, it said:

“It’s happening again, they’ve told us to immediately switch off our computers”

This friend works in a very large and busy hospital. Two months ago, the same person sent me a similar text, this time telling me that their entire computer system was suddenly down with no access to anything that was digitized. The friend, knowing I work in the security industry, asked me if I knew what might be happening. I said that it might be a ransomware attack because hospitals in a number of countries had been targeted with this type of cyber attack over the last year (at least). It turned out that report from my friend, two months ago, was indeed a ransomware attack. In that attack, the hospital became almost inoperable for 48 hours, sending patients away, and unable to diagnose or issue scripts.

The attack two months ago on that hospital never made the news. It hardly even trickled onto Twitter, just a nondescript notice about IT issues at the hospital asking people to seek urgent help elsewhere. I also know that at the same time several other hospitals were also part of a ransomware attack – none of those made the news at the time either.

Fast forward to yesterday and my friend’s message. Sure enough, the hospital was part of what is now looking to be the largest ever, single day, ransomware attack.

Ransomware – May Day! May Day!

On May 12, 2017, ransomware suddenly took center stage in the cyber security theater of war. In the UK, the media announced that a small number of NHS Trusts, which cover hospitals, clinics, and small surgeries, had been hit by a cyber-attack. This quickly changed to multiple trusts being affected across the country. Within hours, this news showed a massive and global ransomware attack. At the time of writing, it was being reported that around 99 countries had been infected with over 75,000 instances of infection. Countries including the USA, the UK, Spain, China, and Russia have been affected, with Russia seeming to have taken the bulk of the attacks. All manner of organizations are affected from healthcare, to car manufacturers, and telecommunications. Europol has described it as an attack of “unprecedented levels”.

But What Really Scares Me…

As reported by Ars Technica, the ‘Wanna Decryptor’ ransomware behind the attacks, is believed to be based on underlying code from the NSA. The code is a self-replicating worm, like the Mirai bot of last year. It was built to enable remote access of computers by exploiting a vulnerability in Windows computers. Security experts, like the alleged hacker Lauri Love, believe that the ransomware is utilizing a vulnerability scanner to allow the program to search for vulnerable computers across networks and the Internet; Love telling us to expect to “see this everywhere”.

What we have here, is something that chills the blood. A virus that once executed creates havoc: Shutting hospitals down, preventing industry operating, stopping communications. When you couple the devastating impact of the software itself, with the capabilities of it to self-replicate, searching out hosts in an almost intelligent manner, then things get truly scary. This is the stuff of nightmares, the thing that security specialists the world over have said is not a case of IF it happens, but WHEN it will happen.

Is This Just About Money?

Over the last 24 hours, I have heard a number of theories of what the motivation was behind the attack. Some are saying it is purely a numbers game, a mass mailer sending out phishing emails to initiate the install, start propagation, and collect the money. Others are saying that the $300 worth of bitcoin ransom shows that money is not the objective of this and the fact this has been such a massive attack, happening in such a short space of time, points to a vanity project – the hackers wanting infamy as much as financial gain.

Whatever the reason for this attack, one thing is clear, many companies, across the globe, were simply not ready for the level of cyber threat.

A NATO For Cybersecurity?

Malicious software lives and breaths because of vulnerabilities in software. It exploits those vulnerabilities, so it can exploit you and your resources. Knowing where those vulnerabilities lie, and the exploits that can be carried out is a vital part of our security armory. Keeping quiet when an attack happens, as was the case with my friends (and others) hospitals earlier this year, was understandable. However, it ultimately helps the cybercriminals in their game.

In 2015, the Cybersecurity Information Sharing Act (CISA) was signed into Law in the USA. It has been a contentious law, but the underlying principles are very relevant to what has just happened to 99 countries and tens of thousands of organizations. We need to use intelligence to tackle this onslaught of threats, not just ransomware but also the myriad of other security risks. Sometimes sharing security related information is simply not possible, but where it is, we need to have a formal process for doing so. But this process needs to be on a global scale, political views aside, perhaps we now need to be looking at enhancing existing international alliances around cyber security, like the United Nations backed International Multilateral Partnership Against Cyber Threats (IMPACT), by building a NATO type platform for cyber security control, after all this feel like war.

In this instance and so far, the USA has been spared much of the impact of Wanna Decryptor. This is not likely to continue. In fact, by the time this article is published, we may already have a second wave that crosses the Atlantic, hitting the USA in a much bigger way. Cyber security is not simply a distant threat, it is real, it severely impacts, business, and lives. Sitting back and hoping it’ll happen to someone else and not us, is a ship that has now long sailed. We have to accept this is part of our cultural landscape and deal with it effectively and with an intelligent approach.

Susan Morrow

Susan Morrow has spent the last 20 years of her life working in various areas of security, and more recently online identity. She is most interested in the interplay between the cybercriminal and the victim – the games that are being played out in the world of cybercrime.

Notice: The views expressed here are those of the authors and do not necessarily represent or reflect the views of Cursive Security.

Be Informed. Stay One Step Ahead.

Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies