What is really new about the massive Wannacry ransomware attack? And how does it compare to previous attacks?
On closer inspection, the media frenzy seems overrated. True, this is the first time after 2008 and the Conficker worm that we have a wormable exploit that propagates automatically within a local network (no interaction with user needed, the Windows PC only needs to be connected to a LAN where the worm is active). However, when comparing Conficker and Wannacry here’s some less obvious facts:
- Conficker made its appearance in November 2008, and the second major variant Conficker.B was so successful that it infected millions of computers worldwide in just 24 hours, which makes it so much more powerful than the Wannacry spreading (estimated at 200,000 in the first 24 hours);
- some estimates talk about 15 millions PCs infected by Conficker at the height of the epidemic, indicating that Wannacry has a long way to go if it wants to dethrone Conficker;
- Even today, Conficker seems to be active on some 400,000 computers worldwide, again, more than the current state with Wannacry;
- Our experience shows that many organizations in the region will have some active instances of Conficker happily scanning the LAN network – that’s almost a decade since the appearance of the worm!
So the whole Wannacry story is not something never seen before or without precedent, especially if you take into account that back in 2008 there were far less Windows computers available for infection than are today.
Nor is the spreading mechanism much different from 2008: it’s basically again the SMB protocol transport and the same service running on every Windows machine.
But the world has changed a lot since that last massive epidemic almost a decade ago. Here are some novelties:
- compared to Conficker, Wannacry brings a much more immediate threat of data destruction based on the ransomware business (criminal) model. Hence much more public anxiety and consequently more media coverage;
- the profit motive and a much quicker “time to value” makes ransomware authors much more innovative and adaptable to threat defenses;
- a much larger dependence on IT technology than was the case in 2008: the proliferation of public web services, both state and privately run, together with the billions of smartphones and IoT devices, makes our society much more sensitive to downtime and disruptions caused by malware;
- consequently, there is much more attention from public institutions and state run agencies which have taken a more active role in the media and taken an interest in more regulation (for better or worse);
- contrary to popular wisdom, the security of the Windows operating system has actually got better (many have forgotten the naivety of Windows 2000/XP engineering and the huge vulnerabilities back in the early 2000s). Microsoft has made lots of improvements in the Windows Update component making updating a much more automatic experience than was the case before. Hence a much smaller impact of Wannacry worm: it seems the epidemic is successful with legacy Windows systems, mostly in organisations where unpatched computers are the norm and the IT departments are inefficient and unprofessional;
- lastly, there is a new moment with vulnerability stockpiling by state-run agencies: the working exploit code for the vulnerability that enabled Wannacry spread, was actually hoarded by NSA, as revealed by a recent leak (supposedly as a cyber weapon to be used against rivals). This has resulted in calls for collective action regulating the use of cyber weapons, similar to the Geneva convention.
Things have improved since 2008: more systems are patched and the systems have certainly become more secure. The current Wannacry outbreak will certainly make people, both at Microsoft and beyond, think even more seriously about security and vulnerabilities, making automatic worms such as Wannacry rarer still.
However, the profit motive behind ransomware and the society growing dependence on IT technology will make attackers increasingly innovative, making IT security an ongoing challenge.
Ultimately, the vulnerability is the user or the human factor: attackers are and will be relying ever more on social engineering tactics. For that reason IT professionals and administrators should get better at preventively identifying risks within their organizations, configure antimalware systems properly (the devil is in the details!) and invest in the latest protection technologies such as sandboxing and machine learning.