Ransomware: what WannaCry has taught us

Popular News Tags (5085)

  • Gary Robinson, co-founder of OWASP Belfast and founder of up-and-coming application security startup, Uleska, takes us through the events leading up to the WannaCry cyber-attack, whilst demonstrating the security challenges faced by organisations on an international scale.

    On Friday 12th May 2017, at the AppSec EU conference, the morning keynote speaker Jeremiah Grossman gave an excellent talk on the business of ransomware and how it compares to the kidnapping and ransom industry.  Little did we know that by the end of the day the topic of ransomware would be headline news.  It was later that day when the WannaCry malware hit the NHS, Telefonica, Gas Natural, and thousands of other enterprises around the world.

    The nature of the WannaCry malware itself has been well reported.  It came from a bug that was discovered and used by the NSA, released to the public by Shadow Brokers and Wikileaks, and modified by someone to infect systems and demand $300 from each infected PC. 

    The media has even dipped into the murky subject of ‘patching’ and ‘updates’.   Microsoft released a Windows update months ago to fix the issue e exploited by WannaCry.  This means that any Windows PC that ran the Windows update in the last few months would not be vulnerable.

    In the cyber security industry this has started a large debate on the subject of updating, also known as patching.  Microsoft releases these updates free of charge.  In fact most PCs are set to automatically install the updates.  The fact that many enterprises had PCs that did not have the update applied has led to many in the industry to determine that the enterprises who fell victim had bad security policies.  Blogs and tweets were simply demanding companies “Patch your stuff”.

    In reaction to this, many IT personnel who work at the affected institutions started hitting back.  They are stating that it’s much more difficult to apply patches in a large enterprise.  Furthermore they explain that those pushing the simple answer do not understand the complexities of running security and IT in an enterprise.

    Let’s examine this question, since many people in our industry are either working in an enterprise, or working in a smaller company and attempting to sell their products into these enterprises.  As someone who has worked in an enterprise, I was a Senior Security Architect at one of the world’s largest banks, I can tell you that the scale and diversity of people and IT systems is vast, and there’s typically no simple answer that can solve all of your problems.

    Let’s take the “Patch your stuff” stance.  If this simple solution works, then the enterprises who were hit were asleep at the wheel and not paying attention to security at all.  This is hard to believe.  This stance would mean that these companies would get hit by malware so often that they would be hacked out of business.

    Now let’s take the stance that IT security in enterprises is so difficult that even applying free and automated patches is impossible.  This view does not stand up either, since the majority of the enterprises around the world did apply these Windows patches, or had other policies in place which prevented the WannaCry malware.

    How can some companies dodge the bullet, while others were hit multiple times?  As with everything in business, it comes down to cost.  At the end of the day, IT security is about how much a company can spend on security, whilst continuing to exist as a business.

    For some of the companies hit by WannaCry, there are surely those that were slow in applying the patch.  Maybe some other large IT project was running and they decided to delay applying the patch for a month or two.  Whether we like it or not, we now live in a world where applying updates and patches are a cost of doing business.  While many businesses want the new and shiniest features and functionality in their organisations, these must be built on a foundation of secure infrastructure.  As we can see from the events of the last week, securely patched Windows operating systems are part of that bedrock base.

    However there is a darker legacy issue within the IT community - out-of-date software. There are organizations that have bespoke, custom software that was written many years ago, and is unfortunately tied to older software.  The main example cited during the WannaCry fiasco is the Windows XP operating system.

    Microsoft released Windows XP in 2002, and supported it fully up until 2014.  That’s 12 years of support.  After 2014 Microsoft stopped issuing updates for XP, which is their business model. 

    However back in the mid 2000’s, many organizations like the NHS needed bespoke software created for their systems, or bought niche off-the-shelf products.  Unfortunately some vendors wrote their software in such a way that it would only work on the Windows XP operating system.  This is fine when Windows XP is still being supported.  However in 2014, when support for XP ended, those organizations will have asked the software vendors for updates to run on newer Windows operating systems, only to find that the software vendors are either out of business, or charging inflated costs to for new versions.

    This leaves organizations left with a risk decision.  Do they stick with the already working software, even though it’s on an old Windows platform, or pay the massive costs to upgrade the systems?  Before May's ransomware attacks, they would probably have gambled with the former option.  Let’s face it, the systems were running fine, they have backups, and many would rather the NHS spend funds on healthcare, rather than pay some software vendor.

    The WannaCry ransomware is going to change this position.  Organizations such as the NHS, with already stretched funds, are going to have to pay the software vendors for newer software.

    Much of the media has been asking why the National Cyber Security Centre (NCSC) hasn’t been able to ‘solve’ these cyber-security issues.  There’s not much the NCSC can do with these legacy software issues, except help by throwing money at the problem. 

    However going forward, the NCSC and all organizations can help by making proactive software security decisions.  Organizations such as the NHS and others hold the cards when buying new software, and surely now those buying decisions must include a check that any software is not tied to any operating system (or any time limited software).  If that call had been made 15 years ago, some of these systems that today only work on Windows XP would never have been purchased.  Thus they would not be vulnerable now.

    While Microsoft has issued a patch for Windows XP for the WannaCry issue, remember that WannaCry is just one of many possible ransomware attacks that could be possible in the near future.  There is nothing we can do about legacy software.  However it would be criminal to continue making the same mistakes in the future, by not considering security issues proactively, from day one of any new IT or software project.

    Lastly, for any software vendors who are set to make profits from organizations, such as the NHS, having to pay through the nose, please consider the greater good.  Charging millions for bespoke software upgrades because of lazy coding 15 years ago is immoral in my opinion.  You have the power to fix this at a cost that does not impact on patient care, or people health.  If you do not, and you insist on increasing your revenue due to this crisis, because the enterprise is tied to your software, then it would seem your demand for profit is simply corporate ransomware in a different guise.

Share this story

Recommended News

Northern Ireland News

All Northern Ireland News

Trending News

All Trending News

Innovation News

All Innovation News

World News

All World News