If the WannaCry malware were a child, you’d be calling social services. As it turns one however, nearly a third (29 percent) of computers globally are still running with the vulnerability it exploits unpatched. As birthday cakes go, that’s quite a feast.
Devon-based “hero” malware researcher Marcus Hutchins, who identified a “kill switch” to stop the attack, is meanwhile fighting a court battle in the US following his arrest by the FBI in Las Vegas last year over an unrelated malware allegation. (More below).
The malware, which triggered a massive global ransomware attack on Friday May 12 last year, crippled a wide range of sectors.
In England, the NHS was hit particularly hard, with 80 hospital trusts and 595 GP practices locked down.
Parliament’s Public Accounts Committee last month described it as “alarming” that a year on from WannaCry, plans to implement the lessons learned are still to be agreed.
Chairman Meg Hillier MP said: “Government must get a grip on the vulnerabilities of and challenges facing local organisations, as well as the financial implications of WannaCry and future attacks across the NHS.”
The Committee has set a June deadline for update on costed plans to improve NHS cybersecurity.
The malware – the provenance of which remains contested – exploits a software vulnerability in Microsoft’s Windows operating system called EternalBlue; also the name of an exploit the National Security Agency (NSA) developed to weaponise the bug that was leaked to the public in April 2017 by hacker group “the Shadow Brokers”.
WannaCry exploits a vulnerability in the Windows Server Message Block, a protocol that allows Windows machines to communicate with each other and other devices.
EternalBlue an Evergreen?
Security company Avast says it has blocked 176 million WannaCry attacks in 217 countries since the initial attack last year.
More strikingly, it told Computer Business Review it has to keep doing so as nearly one third (29 percent) of computers globally are still running with the EternalBlue vulnerability in place.
Here’s a snapshot of some of the great unpatched.
- Argentina: 40%
- Russia: 40%
- Indonesia: 39%
- Brazil: 37%
- Mexico: 30%
- France: 14%
- Great Britain: 14%
- Germany: 12%
- Japan: 11%
- USA: 10%
Jakub Kroustek, Threat Lab team lead at Avast said: “In March this year alone we blocked 54 million attacks attempting to abuse EternalBlue. With 29% of Windows-based PCs globally still running EternalBlue, there’s clearly some lingering apathy towards patch management and software updates that needs to be resolved.
Sandra Bell, Head of Resilience Consulting, Sungard Availability Services, added: “The irony here is that mitigating ransomware is actually quite straightforward. If you have backups, if your network is segmented, really all you have to do is wipe the infected computers and reimage them from backups. If you’re prepared, the recovery could take as little as 20 minutes.”
She added: “But if it’s so easy to recover from ransomware, why is it still such a problem? It comes down to human psychology. Ransoms rely on psychological manipulation that IT systems aren’t susceptible to (AI isn’t there just yet): The systems are the prisoner being held for money.
“The psychology of ransomware is complex, and the two main types — locker and crypto — use different tactics and are successful within different populations of people. It’s not just a case of getting your workforce to abide by security rules and keep their eyes open for dodgy ransom notes (this just helps prevent the data and system from becoming prisoners). You need to recognise a human’s unique psychological susceptibilities and design work practices that prevent individuals within your workforce from becoming attractive targets.”
Hero in Legal Hell
Devon-based malware researcher Marcus Hutchins identified a “killswitch” in WannaCry. His much-prized anonymity was flushed out under a relentless wave of media interest. A year on, things aren’t that rosy for the 23-year-old.
As he put it on Twitter this week:
Journalist contacted me asking to do a story on how my career has progressed in the year since I stopped WannaCry 🤔
Not sure they read the news much.
— Marcus Hutchins (@MalwareTechBlog) May 8, 2018
The 23-year-old remains in legal limbo, after being arrested by the FBI after the DefCon security conference in Las Vegas last year. He has been charged on six counts of creating the malware that would eventually become the Kronos banking trojan.
He has denied the charges and remains in the US while he fights his case.
They allege he created banking trojan Kronos between 2014-2015, offered to sell it on an internet forum for $3,000 and “on or about July 13, 2014” posted a video “showing the functionality of the Kronos Banking trojan” to a publicly available website.
He has pleaded not guilty and faces a new hearing due next week.
His lawyers believe there’s evidence to prove Hutchins was coerced into his alleged confession. US prosecutors meanwhile say Hutchins made incriminating statements to FBI agents after his arrest and in two phone calls from jail.
A new hearing scheduled for May 16 will consider his lawyers’ motion challenging the admissibility of his post-arrest statement.
In a new filing made on May 9, Hutchins’ lawyers say that one of the FBI agents who interrogated the malware researcher altered the “advisement of rights” form used when he was arrested five days after the event; adding – and then twice changing – the time the agents and the defendant allegedly signed the form.
“The integrity of the supposedly contemporaneous document that speaks to that significant issue is compromised”, they said.