Today’s big news (at least in the InfoSec world) is the aptly-named ‘WannaCry’ ransomware. Wired magazine has a pretty good overview of the situation. Based on one of the graphics in that article, although Britain is getting a significant share of the media’s attention, much of Europe is taking a pretty hard hit. (Current reporting is that the malware has appeared in 99 countries.)
The best way to avoid falling victim to this is to keep your systems current with vendor updates (Microsoft released a patch for this issue on March 14, 2017) – but I know that some environments require testing before patches are applied to production environments. For those of you who -for whatever reason- aren’t able to apply the Microsoft patch, it appears that disabling or removing SMB 1.0 may provide (at least a partial) workaround for this issue. Microsoft has a TechNet page that outlines that process for most (if not all) of their “current” operating systems. (Please note that Microsoft does NOT recommend disabling or removing SMB 2 or SMB 3, since doing so has the potential to seriously compromise your system’s usability.)
And before someone states the obvious, yes, it’s true that “applying patches” is useless against zero-day vulnerabilities (which by definition have no patches), but that’s not the situation here. In either event however, having current, tested backups can be the difference between remaining in business, & trying to rebuild.
As you can imagine, people are already hard at work attempting to reverse-engineer this malware – for one of the earliest examples of that, you can take a look at Faisal Abdul Malik Qureshi’s blog entry.
Finally, I’d like to take just a moment to address the most-unbelievable part of this attack (at least to my eyes) – On September 29, 2016, VICE published an article that documented the fact that “Hospitals across England are running thousands of out-of-date Windows XP machines, potentially putting patient data and other sensitive information at risk.” And it’s not like they were unaware of the issue:
The Cabinet Office directed questions to the Department of Health, which said in an email that, "In April 2014, the Department of Health and the Cabinet Office wrote to all NHS Trusts stressing the urgent need for them to move away from using Windows XP, and offering transition funding. The National Data Guardian, Dame Fiona Caldicott, has made clear the need for health and care organisations to remove unsupported operating systems."
Based on the above quote, each of the NHS trusts had received instructions (“from the top” so to speak) to discontinue use of the Windows XP operating system. Those instructions were sent out in April 2014, the same month that Microsoft stopped supporting WinXP.
Apparently recognizing the fact that it’s often difficult to transition existing software to a new operating system:
Governments and businesses could pay Microsoft for a custom extended support deal; the Crown Commercial Service, which is sponsored by the Cabinet Office, spent £5.5 million ($9 million) to continue receiving updates for the public sector, including for the NHS. That agreement ended in April 2015 and was not renewed. (underlining is present in original text.)
So the NHS got an extra year to transition existing services to an operating system that would continue to receive security & other development efforts from Microsoft. (It’s also worth noting that Microsoft is quite public when it comes to “expiration dates” for their software, speaking from personal experience, one tends to encounter “reminders” from Microsoft when updating systems, etc..) And yet two years after that:
- Patients are being (at the very least) inconvenienced (there are apocryphal stories of chemotherapy patients being sent home because their records are inaccessible);
- Patient data is put at extreme risk;
- Medical professionals are reportedly using pen-and-paper to perform their work;
- and Britain’s NHS (as an organization) gets a very public “black eye”.
And those are just the costs that we know about.
At this point, the reader could be forgiven for thinking that my intent is to “pile on”, & cast aspersions on the NHS. The truth is, I really understand a lot of the constraints that make upgrades difficult, I have my own painful memories of trying to “just make the d@mn thing work!” But this situation, as described, extends beyond any “benefit of the doubt” that I can reasonably justify. It’s one thing to run a restaurant or to sell shoes with known-vulnerable WinXP computers – it’s another thing entirely to allow them in hospitals, especially on such a wide scale. It may very well be that there’s something that I’m not considering as I write this – but if the information above is accurate, this is effectively dereliction of duty.
If I were a British citizen, I would probably be inclined to ask some hard questions of my local MP. And as an I.T. professional, I am crossing my fingers that perhaps this will serve as a cautionary tale for someone, & that a repeat of an extraordinarily-preventable tragedy can be avoided.