A week after it struck, the WannaCry ransomware attack appears to have been a financial bust for the hackers who launched it. But WannaCry left behind billions in losses for users and a deep sense of vulnerability among data security experts who fear that worse attacks are yet to come.
“It is not going to end,” said Israel Barak, chief information security officer of Boston-based Internet security firm Cybereason. “They are going to continue to be able to find vulnerabilities.”
WannaCry was first detected on Friday, May 12. Within hours it had ravaged thousands of computers in Europe and Asia, while leaving the US largely unscathed. The program encrypted all data on infected computers running Microsoft Corp.’s Windows operating system, locking users out of their own files. Then it displayed a message promising to provide the encryption unlock key in exchange for a ransom of $300 if paid within three days of the infection or $600 if paid later. If the ransom wasn’t paid within a week, the data would be lost forever.
The unknown criminals demanded that ransoms be paid in the digital currency bitcoin and provided three digital addresses for the payments. Bitcoin transactions are anonymous, but they’re also public, and security analysts have tracked the amounts being added to the accounts. As of Friday afternoon, only about 300 victims had paid up, and the total take was less than $100,000, according to a bitcoin tracker set up by the online magazine Quartz. The Finnish cybersecurity firm F-Secure said that at least some of those who paid received decryption keys and got their data back, according to the New York Times.
“I would definitely not refer to it as a sophisticated attack,” said Barak.
Even so, Cyence, which calculates cyber security risks for insurance companies, estimates that the attack could cost businesses worldwide as much as $8 billion in lost revenue due to business disruptions.
Yolonda Smith, director of product management at Boston data security company Pwnie Express, thinks the attack was a dry run. “This wasn’t about the money. This was a proof of concept,” she said. “Next time we expect they’re going to be much more insidious [and] it’s going to be much, much more impactful.”
WannaCry took advantage of a flaw found in many versions of Microsoft Windows. This bug was exploited by a spy tool stolen from the US National Security Agency and published on the Internet in April by an online activist group called the Shadow Brokers.
Microsoft issued a patch in March that would protect against the attack, but many computers were not upgraded. Also, Microsoft didn’t provide a patch for its obsolete but still popular Windows XP software. So when an unknown criminal combined the stolen NSA code with a ransomware program called WannaCry, as many as 200,000 computers worldwide were victimized.
Cyber security experts still don’t know who is behind the attack; they’re not even sure how they managed to carry it out. Early press reports claimed that computers were infected by tainted e-mail messages. But several security analysts have said they can find no trace of such messages.
Instead, Barak believes that the criminals scanned millions of Internet-connected computers to remotely detect vulnerable Windows machines.
About 15 years ago, computers using earlier versions of Windows were afflicted by a series of similar global attacks. Malware with codenames like ILoveYou, Melissa, SQL Slammer, and Code Red infected millions of machines. In 2002, Microsoft cofounder Bill Gates issued a company-wide memo demanding a complete overhaul of Microsoft’s approach to software security. Since then, the company’s products have become far less prone to similar attacks. But WannaCry proves that Windows remains far from bulletproof.
And it’s unclear whether anything can be done to prevent future attacks. “The government could take a stronger role,” said Stuart Madnick, professor of information technology at the MIT Sloan School of Management, who suggested that business might be required to quickly patch known security weaknesses in their software. “You could have certain regulations just like you do for nuclear power plants and so on,” Madnick said. But he admitted that such a law would be very difficult to enforce.
Madnick also noted that WannaCry used software stolen from the federal government. That fact could scuttle proposals to build “back doors” into American software and hardware products, to help police and intelligence agencies track criminals and terrorists. “If the government has the master key, how long before somebody gets the master key from the government?” Madnick said.