How U.S. dodged a cyber bullet

Software updates, geography — and luck — saved the day

SAN FRANCISCO The massive WannaCry ransomware attack has hit hundreds of thousands of computers from Taiwan to the United Kingdom. Despite the global nature of the attack, few networks and companies in the United States appear to have been hit.

The reason, say cybersecurity analysts, is a combination of luck, geography and adherence to software updates,

though the United States is by no means invulnerable to such attacks.

The attack encrypted all the files on an infected computer and demanded the equivalent of approximately $300 in bit-coin, an untraceable digital currency, to unlock a user’s data. It began Friday and quickly spread, infecting computers at Spanish phone company Telefonica, one-fifth of the hospitals in the United Kingdom — forcing some doctors to halt procedures or turn patients away — as well as automaker Renault and U.S. shipper FedEx. Over the weekend, it hit thousands of computers in Asia.

But fears it would bring companies to a standstill Monday morning weren’t realized.

“The good news is the infection rates have slowed over the weekend,” said U.S. Homeland Security adviser Tom Bossert in a news conference Monday. He said the attack affected more than 300,000 victims in 150 countries, but only a small number of U.S. parties fell victim. U.S. federal systems hadn’t been infected, he said.

The WannaCry ransomware takes advantage of flaws in unpatched copies of some versions of Windows, especially Windows XP. Users still running that operating system, which Microsoft stopped supporting three years ago, were vulnerable to an attack. Microsoft issued a patch to fix the vulnerability on March 14, but many systems did not install it.

Ransomware has existed since at least 2005, but this one is different, making the attack more worrisome.

Unlike typical ransomware hacks, which require an individual user to open an emailed attachment or click on an advertisement that contains malicious software, the WannaCry hack appears able to transmit itself without the user doing anything.

“WannaCry is the first one to completely automate,” said Craig Williams, a senior technical leader at at Talos, the security research arm of tech company Cisco.

The ransomware spreads from network to network, using a vulnerability taken from cyber tools released in an online data dump by a group calling itself the Shadow Brokers. Some cyber analysts say the group stole the vulnerability from the National Security Agency.

Asked in a news conference Monday whether the code had indeed originally come from the NSA, Bossert said it “was not a tool developed by the NSA to hold ransom data. This was a tool developed by culpable parties, potentially criminals or foreign nation-states.”

He did not address the issue of whether the original exploitable flaw the ransomware was based on came from NSA cyber tools.

The swift-moving spread of the malware over the weekend prompted some to fear a second wave of locked machines and halted systems Monday. Adding to those fears: Security analysts said unblocked variants of the original malware were attacking.

While the initial version of the ransomware was disabled within about seven hours, at least 469 copycat variations have been released since Monday, according to Andreas Marx with AV-Test, a German-based security testing company.

The United States may have dodged the attack because companies keep software updated, pressured by the threat of lawsuits.

“We’re more litigious, companies know there will be consequences if they’re not adequately protected,” said Ed Stroz, co-founder of Stroz Friedberg, a New York City-based digital risk management firm.

Unlike typical attacks, the WannaCry hack appears able to transmit itself without the user doing anything.

Elizabeth Weise and Mike Snider @eweise, @MikeSnider USA TODAY 05/16/2017

The best way to protect your Networks is to have properly training IT Security Pros on your team.  Learn how to protect your LAN and WAN and important corporate information with Certified Ethical Hacking (CEH), Computer Forensics (CHFI), Security Analyst (ECSA), and Cisco Security courses.

CED Solutions is a Cisco Learning Partner, Microsoft Gold Learning Partner and the #1 location for Microsoft Certifications in North America for the last 6 years combined.  CED Solutions is a CompTIA Partner, EC Council Partner, and many others and is one of the largest providers of training in North America.  The Atlanta facility provides IT training for up to 200 students per day, with separate buildings dedicated to training. CED Solutions provides training thousands of students per year and students take hundreds of certification exams every two weeks.

 

Share this post