The recent WannaCry ransomware outbreak was the major global cyber attack that security experts have been warning of for years. It wreaked havoc by encrypting data on an estimated 230,000 computers in 150 countries and demanding a $300 ransom paid in bitcoins to get the computer decrypted (which reportedly did not work in some cases).
If the ransom was not paid within three days, the amount doubled. Payments made to the bitcoin wallets used by the hackers indicate higher amounts, most likely to decrypt more than one computer. @actual_ransom—a Twitter bot that is watching the bitcoin wallets associated with WannaCry—indicates that, at the time of writing, about 337 payments had been made, equaling $134,859.54.
Britain’s National Health Service was crippled, canceling surgeries, chemotherapy and other medical necessities. Other major organizations hit included Federal Express, Spain’s Telefonica and Deutsche Bahn.
The malware uses a vulnerability in Windows’ operating systems that the National Security Agency (NSA) discovered more than five years ago. According to The Washington Post, the vulnerability was so serious the NSA recognized it could cause widespread harm if leaked. The NSA discussed internally whether to notify Microsoft so it could develop a patch for the vulnerability but decided against it to exploit the vulnerability for intelligence gathering purposes.
The malware was revealed in August when a hacking group called The Shadow Brokers disclosed an entire archive of NSA cyber offensive tools it had stolen. The NSA finally notified Microsoft, and a patch was issued in March. But the patch was made available for only those Microsoft operating systems that are “in support,” meaning those maintained by Microsoft with patches or upgrades issued to licensed users.
When the WannaCry ransomware hit on May 12, 2017, companies had only had two months to apply the patch to their systems. Patches are easier for individuals to apply than companies and governments, which have to test the impact on applications and systems before deploying patches in a production environment. It takes time, and at the end of two months, many companies had not yet deployed the patch on all of their systems.
Despite the severity of the vulnerability, Microsoft did not issue a patch for its Windows systems and servers that are still in use but “out of support,” such as the Windows XP operating system and Windows 2003 servers. According to recent reports, Windows XP is still running on millions of computers and is the third most popular operating system. An estimated 18% of organizations are using Windows 2003 servers in their IT environments. Around midnight the day of the attack, Microsoft finally issued a free patch for XP systems (Microsoft usually charges $1,000 per computer for an XP patch) and 2003 servers.
Now, more trouble has been set loose. Shortly after the WannaCry attack, a new variant of the malware, called EternalRocks, was released that contains six additional NSA exploits and targets Windows machines.
EternalRocks may be more dangerous than WannaCry. Researchers have determined that it installs a private networking software on the computer called TOR, which conceals Internet activity. TOR is used by the malware to respond to the controller of the malware and begin downloading and self-replicating on the infected computer. The danger is that EternalRocks currently appears to be in stealth mode and just infecting computers; what is unknown is what it will do when activated. It could exfiltrate data via TOR or take other malicious actions, such as corrupting or zeroing data.
So what does this have to do with IT budgets? Everything. Many organizations are not funded to:
- Fully staff a dedicated information security team
- Develop an enterprise security program consistent with best practices and standards (including robust incident response and business continuity and disaster recovery [BC/DR] plans)
- Keep software and hardware patched and within vendor support
- Replace old legacy applications that require out-of-support operating systems.
Almost every client we work with struggles to get enough money to implement and maintain a robust cyber-security program, and it doesn’t matter if they have revenues in the billions or low millions. The security teams are often small, consisting of only a few people, some whom are IT personnel with added responsibilities for cyber security. Many do not have security job descriptions or hold cyber-security certifications or degrees. They learn as they go, and their companies might not pay for training, certifications or fees to attend cyber-security conferences.
Organizations commonly have Windows XP and/or Windows 2003 servers in their production environments. Sometimes this is because old legacy applications (that businesses refuse to replace) often require the XP operating system, and other times it is because IT and security have not been given the budget they need to replace out-of-support equipment. So security teams hobble along as best they can, juggling priorities and trying to keep attackers at bay.
The lack of adequate IT and cyber-security funding also frequently results in poorly developed incident response and BC/DR plans. These two areas usually have the lowest scores in our cyber-risk assessments. This means companies are likely to have a chaotic incident response when a serious incident occurs and may not be able to fully restore data if erased, corrupted or encrypted.
Cyber-security professionals, by and large, are dedicated and want to build a strong cyber-security program. But executives must understand malware can readily find out-of-support equipment or software and exploit it.
All of these factors converge to create a global network of organizations with legacy apps, out-of-support equipment and systems, insufficient cyber-security expertise, and weak to mediocre security programs with gaps and deficiencies that help enable these attacks. The WannaCry malware just encrypted data; these other NSA exploits can leave the infected computer open to remote commands so it may be “weaponized” on demand or exfiltrate data.
We hear a lot about what needs to be done to curb cyber attacks: better information sharing, more government leadership and funding, improved assistance from law enforcement, and new laws and regulations. But we do not hear enough about organizations starving IT budgets to the point they contribute to the problem.
Agents, brokers and their clients are equally at risk of attack, and the first and best line of defense is a robust budget line for IT and cyber security. From my side, we need to do a better job of educating organizations on the costs associated with cyber attacks so they can be weighed against IT and cyber-security budget requests.
A complex forensic investigation can cost several million dollars, including business interruption costs, equipment replacement costs, remediation consulting costs, and regulatory and legal costs. That doesn’t even include potential reputation and brand damage.
In the end, the organization still had to upgrade equipment, address gaps and deficiencies, and improve its security posture—it just cost more. A dollar in time can stop cyber crime.
Westby is CEO of Global Cyber Risk. firstname.lastname@example.org