Those “in the know” in the cybersecurity world have been aware for more than a year of the threat posed by ransomware, a type of malware that locks victims’ access to their files until they pay a ransom. But discussion of the threat was mostly localized to cybersecurity professionals, blogs like this one, and various guidances released by federal agencies during 2016. But ransomware may just have entered the general public consciousness in a big way.
An enormous, worldwide ransomware attack on May 12 hit major state and private institutions and other targets worldwide and exploded onto the front pages of publications like the New York Times. The attack utilized a ransomware variant called “WannaCry,” which is believed to be based on a stolen National Security Agency hacking tool that targets a vulnerability in Microsoft Windows servers. The technology is thought to have been stolen from NSA in the Shadow Brokers’ attack last year and was released online by the Shadow Brokers last month.
Medical, educational, governmental, and other institutions worldwide have been affected by the hack, with Rob Wainwright, the executive director of Europol (the EU police agency) estimating that 200,000 computers in more than 150 countries have been hit. Entities impacted included the Russian Interior Ministry, German rail company Deutsche Bahn, Spanish telecom firm Telefonica, and corporate and university networks throughout China. Federal Express was also hit, though the United States was apparently spared the worst of the attack because of the fortuitous discovery of a temporary “kill switch” to the malware by a young British cybersecurity researcher known as “MalwareTech”. Microsoft also helped to slow the attack because it had released a rare emergency security patch for Windows XP, which it has not supported since 2014. The Department of Homeland Security has issued a statement advising users of the Microsoft patch and directing Americans to the US Computer Emergency Readiness Team for additional information on best practices for protecting an organization from ransomware.
One of the hardest-hit institutions was Britain’s National Health Service, as approximately 20 percent of the country’s “public health trusts” were affected at one point. All but six of the 48 NHS organizations attacked were back to normal as of Saturday, according to British Home Secretary Amber Rudd. The targeting of the NHS will come as little surprise to the United States health care industry, which has been the target of successive ransomware attacks in 2016 and 2017. To address cybersecurity vulnerabilities in the health care center, the US Department of Health and Human Services is planning to launch a new Health Cybersecurity and Communications Integration Center in June.
According to the New York Times, security experts are warning that the WannaCry attack may be far from over, and may in fact worsen as users log back into their computers on Monday morning. Experts warn that this could particularly impact users in Asia, many of whom likely had logged off for the weekend before the malware hit. There are also warnings that attacks using copycat variants of WannaCry are starting to spread. Perhaps most concerning, experts are noting that the “kill switch” discovered by MalwareTech can be removed with limited changes to the malware code, allowing a less vulnerable version of the malware to be released. For this reason, security experts, including MalwareTech, are warning users not to rely on the activation of the kill switch and instead to immediately install the security patch released by Microsoft.
Regardless of whether the WannaCry attack causes further chaos tomorrow, its scope already has the potential to make it a watershed moment for public awareness of the ransomware threat and governmental response to it. NBC News notes that the attacks were a focus of G-7 financial chiefs, including US Treasury Secretary Steven Mnuchin, at their meeting in Bari, Italy on Saturday. Privacy advocates in the United States are likely to accentuate that the attack used technology stolen from the NSA, and Prime Minister Theresa May’s government in Britain is already under attack from the opposition Labour Party for supposed unpreparedness for the strike on the NHS. The extent to which this new notoriety will translate into effective policy remains to be seen. But governments and other actors are officially on notice — after Friday, they will not be able to claim that ransomware caught them by surprise.