WannaCry and the Dangers of Magical Thinking
The WannaCry ransomware attacks have dominated even mainstream news cycles over the past days. In this briefing, we will take a brief look at the facts surrounding them followed by analyzing why so many machines remained unpatched.
WannaCry is a ransomware created by hereto unknown attackers. While ransomware is more commonly distributed through fake downloads or spam emails, WannaCry uses the EternalBlue Exploit included in the alleged NSA leaks by the group self identifying as the “Shadow Brokers”. While the leaks began in late 2016, the exploit in question was made available on April 14th 2017.
The EternalBlue exploit allows attackers to take over vulnerable windows systems without any user interaction. If the worm makes it into a corporate network or other infrastructure, it can thus spread rapidly.
A large number of organizations, ranging from corporations to government offices to ticket vending systems for mass transportation were affected by the attacks in addition to an unknown number of private users. After infection, the malware encrypts the victim’s files and demands payment of a ransom to unlock them.
The Problem with Patches
Microsoft released a patch to fix the vulnerability abused by EternalBlue on March 14th 2016 - a month before the exploit was released and almost two months before the WannaCry ransomware attacks began. In theory, this should have prevented the attack. However the real world works differently.
Many home users do not regularly update their PCs. Without proper knowledge of IT, it is often seen as a mere nuisance. Using the word “update” further makes the process seem optional to many people. After all, while you have to perform “maintenance” on your car such as changing old tires and adding oil, you are not required to perform any updates such as adding a GPS or changing a working mirror. The gap between common language and IT terminology can thus lead inexperienced users to misunderstand the necessity of constant updates.
The issue becomes more complex in large organizations with managed IT infrastructure. Even in 2017, it is surprisingly difficult to enforce an organization-wide update of all PCs. Computers may be privately owned, incompatible, forgotten, or simply offline when the update is supposed to be applied, if a management system to do so remotely even exists. VDI (virtualized infrastructure) deployments can solve this problem and increase overall security but unfortunately often come with a hit to employee productivity and motivation.
Furthermore, organizations performing physical production such as printing or food processing often rely on multi-million dollar machines that may only be compatible with out-of-support operating systems such as Windows XP. Microsoft went as far as to make a patch for the retired Windows XP available a day after the attacks began, but by then a lot of spread had already happened.
While IT heavy organizations such as online businesses or companies dealing in information have developed active policies to secure and maintain IT systems, many regular organizations such as the machine-reliant examples above have not yet caught up to these changes. In companies with 20000 employees, IT departments of a dozen or less people are not uncommon. Instead of upgrade and maintenance cycles, computers get replaced when they break - and with a weak IT team, the end of support of an OS may not be recognized as “breakage” by management. In these environments, IT is treated as “Magic”. An expert sets it up and then it just works until it doesn’t, whereupon a new expert is called to make it work again. The underlying process is not of interest.
While this approach is slowly changing, we predict it to persist for at least the next half decade. And as long as magical thinking regarding IT exists, worms like WannaCry will continue to wreck havoc any time a remotely exploitable vulnerability in a major OS is discovered.
The only antidote is the slowly but steadily growing understanding among common employees, management and private users that IT systems require steady maintenance to remain secure.