There is a way to stop WannaCry.
Hackers attacked a hospital system with ransomware and demanded $17,000 in bitcoin payment.
This was not part of the potentially deadly Global WannaCry Ransomware attack that slammed Britain’s National Health Services (NHS) on Friday. It took place over a year ago, and the target was Hollywood Presbyterian Medical Center in Los Angeles.
Like the NHS, Hollywood Presbyterian chose to pay the ransom so they could quickly regain control of their antiquated systems.
Ransomware attacks have been on the rise for more than a year and, according to Jonathan Penn, Avast Security’s director of strategy, WannaCry could be “just one wave in a very long series.”
So far, Avast, a security solutions company, has detected and prevented almost a quarter of a million WannaCry ransomware attacks around the world.
If companies, people and governmental agencies like the NHS knew that ransomware was exploding last year, why weren’t they preparing themselves? It’s like the ground floor of a 28-story high-rise is on fire and, instead of putting out the flames, we just keep taking the elevator up to another unaffected floor.
There are many excuses businesses and government agencies use to avoid upgrading their software. But the dramatic rise of ransomware attacks means it’s time for them to take their medicine and figure out a way to get it done. Otherwise, these attacks will just keep spreading with organizations paying ransoms that are cheaper than upgrades, until they’re not.
Microsoft and most security experts will tell you that the surest way to prevent a ransomware attack is to keep your Windows system up-to-date and fully patched, run security software, and avoid opening email from unknown parties and opening unknown links.
Those running Windows 10 can’t even avoid updates (they can postpone for a week or so, but that’s it). However, most people and businesses aren’t running Windows 10. They’re on older platforms like Windows 7, which Microsoft will only patch through 2020.
A shocking 7% are still on Windows XP, a 16-year-old operating system Microsoft stopped supporting years ago (but patched just for this attack). Anecdotal information indicates that businesses and governmental agencies around the world are the primary culprits here. Late last year, Citrix reported that the majority of NHS hospitals were still running Windows XP on at least some of their systems.
Penn isn’t surprised that the NHS hasn’t upgraded more quickly. “The health service in Britain is government-run. So, they need to make quite a significant case, go up the chain or take budget from somewhere else.”
However, it’s more than just money and bureaucracy that’s keeping businesses and governments from retiring old hardware and software.
Think about what it takes to update your own computer — or even your smartphone. It’s a pain in the neck, especially if functionality changes (and many people simply don’t let devices update). “Now multiply that times a thousand for business,” said Penn.
Businesses and government agencies often have customized software and disparate systems that need to communicate. Patches and OS updates can’t roll out willy nilly; they must be tested. That takes time and money and so do the potential ancillary updates that are often required.
“It’s just a hamster wheel of expense for a lot of these people,” said Penn.
Many simply decide to not upgrade, especially if all systems are still functioning.
What they’re doing, essentially, is a risk assessment. Changing things incurs cost and maybe lost business or even the ability to serve constituents. But the risk equation is tilting dramatically in the other direction.
Penn told me that the risk ramsomware poses is getting larger and will not go away. More worrisome is that the effectiveness of the WannaCry ransomware attack will probably lead to more attacks.
And the risks are widespread.
Sources within the U.S. Federal Government tell Mashable that, so far, the impact on government systems hasn’t been bad and that there have been no public reports of WannaCry-related issues.
However, the U.S. health care system may not be so lucky.
“Our health care system is fragmented: medical records, for example, might be created and managed by a single doctor’s office or by large hospital systems,” said former U.S. Department of Health and Human Services CIO Frank Baitman via email. “Their ability to patch legacy systems and employ cybersecurity staff varies enormously. Even in large enterprises, it’s difficult to patch all computers as soon as a Zero Day vulnerability is discovered,” he wrote. A Zero Day attack has no known patch or signature.
Penn, though, believes the next logical target is the education system, which has a devil’s brew of massive amounts of private data and grossly underfunded infrastructure. “It’s low-hanging fruit,” he said. I also asked him about the electric grid’s vulnerability, but Penn wouldn’t comment.
Even if consumers and businesses follow Penn’s advice and upgrade, patch, and install antivirus, they may not be fully protected.
Shortly after news of the Hollywood Presbyterian attack broke, Security Architect Kevin Beaumont detailed the powerful ransomware behind it. Called Locky, it was reportedly infecting thousands of systems a minute. More terrifying, Beaumont wrote that having fully up-to-date systems didn’t seem to matter:
Having your endpoints fully Windows and Office patched, antivirus software installed, behind a firewall and with Malwarebytes Anti-Ransomware (in beta) likely wouldn’t have protected you if you allowed users to open macros and didn’t have application whitelisting correctly configured.
MessageLabs, Google Mail, Office 365 and hosted Exchange all delivered the Word documents.
Penn acknowledge that so-called Zero Day attacks are a reality.
“No one is going to claim that, if you do XY and Z you will never get any kind of attack, because there are these things called Zero-day attacks. They can be successful against systems with all these protections. It depends on nature of exploit,” he said.