On May 12th, the phrase "Wanna Cry” suddenly became used for a lot more than describing our reactions to adorable videos of kittens. Wanna Cry, also known as WannaCrypt, is a ransomware strain that infected over 200,000 Windows computers in more than a 150 countries (including compromising public services such as Britain’s NHS) in what seemed like a matter of hours.
How? The virus used a vulnerability in Windows legacy systems such as Windows XP. While the vulnerability was known, older unsupported versions of Windows do not receive automatic updates, so many users did not get the patch (or were even aware it existed). The virus, like so many others, specifically targeted users through doc attachments sent in phony emails. Users would receive Google drive links or .doc attachments in emails that seemed to be sent by a colleague or friend, absently click the link, and boom, infected computer.
Once infected, the virus systematically encrypted almost every file on the machine. It would then post a helpful ReadMe on the victim's desktop explaining how to pay the culprits $300 in Bitcoins (a digital cryptocurrency that can be transferred without a bank's involvement and is difficult to track) to unlock the files. Until then, everything on the system, from essential patient records to the aforementioned adorable cat videos, remains inaccessible. Fail to pay in seven days, and the files are permanently deleted.
Should we still be worried?
Short answer, yes.
As of the time of this posting, WannaCry is still active. Microsoft rushed an emergency patch to address the issue across its platforms and antivirus and security company's such as Kaspersky have also been working to address the issue. With the Microsoft update and swift response of leading anti-virus software providers, the sharp edge of the attack has been blunted.
As it is, the attack could have been much, much worse were it not for a bit of luck on the part of an inquisitive InfoSec tech. The anonymous author of the MalwareTech blog began studying the virus as soon is started making waves. Rooting through a sample of the virus, he discovered the program queried an unregistered domain name referenced in its code. As part of his standard method of tracking and studying malicious code, he registered the domain. This had the surprising effect of killing the spread of the virus (normally this is not the case, the coding for WannaCry either intended this domain to be a kill-switch, or was constructed with some type of bug). You can read the firsthand account of this fortunate break on the author's own blog.
While this is certainly good news, it does not mean that the virus is gone for good. Other variations of WannaCry are already popping up as are copycats. Sadly, we haven't heard the end of this story quite yet.
What should you do?
No matter what system you run, you need to update your security profile immediately. Users running machines with Windows XP, Windows 8, or Windows Server 2003 need to install the update issued by Microsoft as a response to WannaCry.
We should always be diligent about attachments and links provided in emails, but now is the time to be extra sharp. Keep an eye on what you're opening and if in doubt, don't click. Sadly, this is easier said than done.
Security meets reality
While responses to WannaCry have been mostly productive in the InfoSec community, there are always a few snickering elitists who worm their way out of the woodwork for this sort of thing. Victim blaming, asking what kind of business or person is still using an XP system, or arching an eyebrow at anyone who could possibly be foolish enough to fall for a phishing email.
These attitudes only show how out of touch some people are. Not every user is going to be reinvest in a new computer and OS every 5 years and its unrealistic to expect that from the average consumer. There are plenty of people still running XP on their home PCs for simple lack of a reason to splash out hundreds of dollars on a new system.
There are also legitimate reasons an enterprise level business would still be running an older OS. Take the NHS for example. As a government supported health system, it's not like the NHS lacks the resources or support to completely update it's systems if it really wanted to, but there is the matter of practicality and compatibility. Custom software, such as the kind that operates a CAT scan machine might not work with another OS. If the choice is between saving lives with a proper diagnoses, or keeping updated to the latest version of Windows, I think I know which one I want my hospital making.
The same with opening a phish email. There is simply no fool-proof way to protect against every phish type. While there are plenty of precautions, best practices, and tools that will help you avoid 99% of phishing attempts, there is always that 1% chance left. People are busy and phishing techniques are sophisticated, "0-clicks” is a fantasy (especially for businesses where people are inundated day in and day out by emails with attachments and links).
What we should be learning from WannaCry is the need for more public attention and understanding about these kinds of threats. While a patch addressing the vulnerability had been available for months before the virus hit, the fact that it required individual users to specifically seek out and manually update their machines meant that few people bothered. As InfoSec concerns make their way out of the obscure corners of the security world (and trappings of fun but inaccurate John Travolta films) and encroach on the lives of average users, we need a more holistic response to them.
Security should not be placed on the individual end-user. But until things change, the best you can do is keep your system updated, your ear to the ground, and your finger poised over the delete button when someone sends you something suspicious.