One of the world's largest-ever cyberattacks is making people "WannaCry" — which is also the given name of this most impressive bad actor. This new ransomware attack — also dubbed WannaCrypt, WanaCrypt0r 2.0 and Wanna Decryptor — has so far affected more than 250,000 computer systems in more than 150 countries across the globe, hampering public services, government, commercial businesses and health systems.
The attack is made possible through a vulnerability in unpatched, older versions of Microsoft Windows product lines, like Windows 8, Windows Server 2003 and Windows XP — which includes a good number of healthcare facilities still using the expired XP operating system. Once they're in, the hackers lock down a computer and threaten to delete all its data unless a ransom is paid.
WannaCry took down about 20 percent of the U.K.'s National Health Service on Friday. Because of the infection, hospitals, doctors' offices and other healthcare institutions in London and Northern England had to cancel nonurgent services and revert to backup procedures.
"Multiple emergency rooms around England spread word that patients should avoid coming in if possible. The situation doesn't appear to have resulted in any unauthorized access to patient data so far," Wired reports.
While the attacks and damages have mostly been reported outside the U.S., officials from the Trump administration directed the U.S. Department of Health and Human Services (HHS) to set up conference calls with providers to update facilities on the government's response throughout the weekend and on Monday, the latter of which had more than 2,500 participants.
HHS reports seeing more than 65 different variants of the ransomware. Like previous ransomware, the attack is spread by phishing emails, but also uses backdoors developed by the U.S. National Security Agency (NSA) to spread through a network that has not installed recent security updates to directly infect any exposed systems. The NSA backdoors were originally leaked to the public in the Edward Snowden materials.
The irony of this attack is that Microsoft issued a critical patch on March 14 — two months prior to the WannaCry outbreak — to remove the underlying vulnerability for supported systems, but many simply did not apply it. There were no patches for XP and Windows 8 because Microsoft had stopped supporting them, but the firm did issue emergency patches over the weekend to curb the attacks on those two outdated systems.
The demanded ransom for WannaCry is around $300 in Bitcoin within three days or $600 within seven days.
So, should you pay if affected? Avi Rubin, professor of computer science at The Johns Hopkins University and director of the school's Health and Medical Security Lab, addressed the issue on his blog.
"I do not think the ransom should be paid," Rubin wrote. "First and foremost, you are funding the bad guys and 'legitimizing' their approach from a business perspective. Second, there is no guarantee that the attackers will actually restore your files or that they won't demand more money the next day.
"My general philosophy is to take the immediate loss and figure out how to move forward without paying any ransom. The best way to deal with ransomware, obviously, is to avoid it in the first place. Keep meticulous backups on a regular schedule. For some ransomware, such as the one in the recent attack that locks people out of their systems rather than just encrypting file, backups may not be sufficient. Strong security is the best antidote to ransomware and other forms of attack.
"But at the end of the day, if you are faced with a 'should I pay' decision, you will have to weigh all the factors and make the best decision based on your circumstances."
What can hospitals do to recover from ransomware attacks? The top of the list should include developing a program that covers all of your data needs. Solutions Review says, "You must identify where your critical data is stored, determine your workflows and systems used to handle data, assess data risks, apply security controls and plan for evolving threats. If it is not protected, it cannot be recovered."
Also, employ backup and data recovery processes. Don't rely solely on snapshots or replica backup. Your backup process data could just as easily be encrypted and corrupted if it is not stored in a secure way where a ransomware attack cannot get to it.
Finally, educate employees on the dangers of ransomware and how to secure endpoints. Most breaches are from good people making simple mistakes
"Healthcare organizations are particularly vulnerable to these attacks because awareness about email authentication is still quite low in the sector as a whole," said ValiMail CEO Alexander Garcia-Tobar in an interview with CSO. "In order to protect the nation's healthcare infrastructure from future ransomware attacks, we encourage all security executives to ensure their organizations have proper email authentication at enforcement.
"It only takes a click from one person to endanger an entire enterprise."
