The WannaCry ransomware (also known as WCry or WCrypt or Wana Decryptor) burst onto the scene spectacularly today after NHS hospitals across the UK ground to a standstill, as the ransomware encrypted files and caused staff to cancel operations.
I can only imagine the chaos.
As you can imagine it’s “been a bit busy” here too. Every time I try to write something the media grab me for an interview, and I spent an hour or so in a BBC studio in Oxford while they tried to work out why they couldn’t beam me live down the wire to their studios in London.
(They never did find out what the gremlins were, but thought it “probably” wasn’t the WannaCry ransomware.)
The NHS wasn’t targeted. They’re just a huge organisation which has had insufficient investment in computer security over the years. In short, it has a lot of computers and at least some of them weren’t able to withstand an attack like this.
The state of the NHS’s cybersecurity becomes obvious when you consider that it still relies heavily on computers running Windows XP, which Microsoft started to tell people to dump way back in 2007, and finally stopped patching in April 2014.
If you were still running Windows XP after that date – well, you had something bad coming to you.
The UK Government did end up paying Microsoft over £5.5 million of taxpayers’ money to receive support and security updates for a further 12 months after April 2014 (did they not pay any attention to Microsoft’s warnings since 2007?) but that really was the last chance saloon.
But it would be wrong to think that the NHS was targeted. They weren’t. This is extortion – 21st century style. The bad guys release ransomware (in this carried by a worm which exploits a vulnerability), and their intention is to infect as many PCs as possible to make as much cash as possible.
Hitting the NHS wasn’t necessarily their intention, but it is a soft target due to its poor defences. And, of course, the implications of a widespread NHS infection is felt by many people.
Meanwhile, other organisations in other countries were also impacted. For instance, Telefonica in Spain, and FedEx.
WannaCry appears to have spread at an astonishing pace because it has been spread by a worm exploiting a Microsoft vulnerability – MS17-010. Once one computer in your organisation is hit, the worm hunts for other vulnerable computers to attack.
Before you know it, you’ve got a big problem.
You probably don’t care about this if you’ve had your computers hit by WannaCry, but the story behind the MS17-010 vulnerability is an interesting one.
The vulnerability was first found by the NSA. However, they chose not to tell Microsoft about it. (Which is a shame, because that would have meant computers would have been patched earlier).
Instead, the intelligence agencies kept the details of the exploitable vulnerability to themselves, so they could use it to infiltrate computers and spy upon them. They dubbed the exploit “ETERNALBLUE”.
However, a group of hackers called the Shadow Brokers stole details of this and other exploits used by US intelligence agencies, put them up for sale, openingthe door for other criminals to exploit the vulnerabilities.
Microsoft responded with a patch, but wouldn’t it have been better if the NSA had done the decent thing for all of us on the internet and told Microsoft about the flaw as soon as they discovered it?
Sometimes you protect your country best not by spying on others, but by ensuring that everyone in the world (including the people you may want to snoop on) is better defended.
I’ll update this page with more on WannaCry as it becomes available, but for now you can either follow me on Twitter at @gcluley or (perhaps most importantly) ensure that you have applied Microsoft’s vulnerability patch MS17-010 from earlier this year.
Stay safe folks. And remember to make sure that you have a secure backup regime.
For more discussion on the issue, make sure to listen to this episode of the “Smashing Security” podcast.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.