WannaCry About Skipping Updates
Starting the end of last week, computer systems in over 70 countries across the globe were hit by virulent strain of malware going by the names Wanna Decryptor, Wcry, or Wanna Cry. Included in innumerable victims of this attack were many systems at the British National Health Service. The malware spread quickly through affected networks, encrypting all personal data and demanding a ransom in bitcoin equivalent to $300 per affected system.
Wcry spread further and wider than many similar ransomware attacks, because unlike others, it required no user interaction to spread. Wcry made use of a vulnerability in Microsoft's SMB file sharing protocol. This vulnerability was one of many in the NSA toolkit exposed by the Shadow Brokers earlier this year. The unfortunate thing about this vulnerability is that Microsoft patched it on all supported platforms back in March. The vast majority of systems hit by Wcry either hadn't been patched in months or worse, were running software that's end of life.
At CBOSS, we preach what we practice; vendor updates should be evaluated whenever they are released, and should be installed no more than 30 days from the release date, if possible. Furthermore, critical systems should always be on supported software versions. When this isn’t possible, businesses should consider avoiding connecting unsupported systems to their network or the internet. This can reduce their risk of infection, and prevent further spreading in the event a system is compromised.
The outbreak of Wcry has brought to light the cost of running out of date, or unsupported software. There are many reasons why software stays out of date. They range from concerns over compatibility and lost productivity to simple lack of time and the low perceived priority of the task. In a busy business world, it can seem like there’s no good time to devote to this kind of routine maintenance. The situation gets even more complicated when specialized systems, like those in industrial and healthcare settings, run obsolete software with no security updates available. There frequently seems to be a cost in both time and money with updates. But with the spread of Wcry, we see there’s cost to inaction also.
We don’t yet know the full effect that this malware will have on healthcare, telecommunications, and industry. But with critical systems brought to a halt in hospitals and telecoms, if the final cost is measured only in bitcoin, we can count ourselves lucky.