A cyber catastrophe has occurred. A little before noon on Friday, 12 May 2017, a highly virulent strain of the ransomware WannaCry (known as WannaCrypt) began to spread through Windows systems worldwide, crippling the NHS healthcare system, Russian government ministries and French automobile plants, and ultimately impacting more than 200,000 computers in 150 countries by midday Monday. Current estimates place the evaluated business losses worldwide between $3-4 billion. The Centre will conduct its own economic impact assessment in the coming days.
It is now widely understood that this version of WannaCrypt utilises the ETERNALBLUE Windows exploit, made public on 14 April 2017 in a data dump by the group known as the Shadow Brokers (Kaspersky). ETERNALBLUE installs with the tool DOUBLEPULSAR, which both contain backdoor vulnerabilities to certain Microsoft operating systems, which many security industry experts claim is highly specialised for intelligence collection. A successfully coordinated spear phishing campaign helped the initial spread of these tools that, once granted access, released WannaCrypt on systems. Microsoft introduced a patch for this exploit along with several others on March 14 (Engadget). Industries using unpatched Microsoft operating systems or drastically out-of-date or unsupported systems such as Windows XP (in the case of 90% of NHS trusts) were those susceptible to the ransomware spread.
Countries affected by the WannaCrypt attack (BBC)
The spread of the WannaCrypt ransomware is indicative of an evolving capability scale wherein powerful cyber tools are becoming more available and simpler to use by cyber actors of limited ability. The WannaCrypt software utilises a sophisticated vulnerability but takes little skill to set up and trigger effectively.
A reoccurring theme among the media and in the immediate public response to this ransomware attack has been one of confusion surrounding why IT systems – the NHS in particular – remained vulnerable following identification of the ETERNALBLUE exploit and creation of a patch provided by Microsoft. The issue of patching the exploit can be fundamentally reduced to the cost-benefit approach of business decisions, and is itself a decision which carries an additional set of cyber risks. The process is time consuming and there may be legitimate reasons for not using a patch or delaying its application.
Patched systems are not invulnerable, only better and proactively protected. Immediate patching is not a guaranteed safeguard to cyber risk. System updates and patches are not comprehensive, and can sometimes introduce additional flaws, bugs, or other vulnerabilities which must be re-patched again. Microsoft’s ‘Patch Tuesdays’ often lead to ‘Recall Thursdays’ and Apple’s iOS 8 rollout for iPads and iPhones infamously led to reports of sudden battery drain and random restarts. The Centre for Risk Studies’ first venture into the potential cyber threat to business was the Sybil Logic Bomb Cyber Catastrophe scenario in which the routine update code of a tent-pole database software provider is deliberately tampered with, causing repeating errors which build up into industrial catastrophes over the course of many years. By the time the problem is identified, the code is grandfathered into numerous subsequent upgrades and has polluted years’ worth of company backups.
As we have seen, the risks of not-patching or delaying updates on a network scale are similarly fraught. The asymmetry of information regarding the risks associated with cyber crime (particularly systemic risk) means that businesses and governments underestimate the potential loss related to a cyberattack, and therefore allocate resources to other departments. In an IT team that is underfunded (relative to potential loss), IT managers have a high opportunity cost when assigning labour to a particular task. Patch and update management, and maintaining good administrative security protocols, may not be seen as a priority when compared to other IT service tasks.
This particular cyber attack has highlighted the vulnerabilities in the management of IT systems in national infrastructure as well as private industry. Governments and organisations have been exposed to an attack which has caused severe business interruption, a negative effect on brand reputation, and billions in monetary losses. In the case of the NHS, it has endangered lives. The decisions made by corporations and governments are likely to take into account the new potential benefits of a nimble and well-funded IT team, in terms of the mitigation of risks associated with this kind of ransomware attack, and those resulting from the greater band of cyber attacks in general.
Additional material contributed by Andrew Smith, Research Assistant