wannacry, ransomeware, north korea hack, north korea cyber attack
President Donald Trump's "cyber czar" said Monday he was surprised that the recent WannaCry global ransomware attack had not compromised federal government computer systems. Photo: Reuters

By now, you've probably read about WannaCry, the ransomware that has caused cyberattacks around the world and might be orchestrated by hackers in North Korea.

 

But what exactly is it and who is at risk? Metro spoke with two experts from cybersecurity companies: Jack Danahy, CTO of Barkly, and Amit Serper, the principal security researcher of Cybereason.

 

What is ransomware?

“The most common forms of ransomware take advantage of a user executing a code or visiting a website, which will encrypt a variety of different kinds of content important to that user,” Danahy said. “Having done that, it throws up a screen that says, ‘If you ever want to see this data again, send me money.’”

 

The data that is literally being held for ransom can be any file from text documents to photos. If you don’t pay by the designated time — usually in Bitcoin, which is an anonymous currency — the data is deleted. Some versions also "dox" the affected user, Danahy said, meaning the data is released to the public if the ransom isn’t paid.

 

“It’s a really profitable industry for criminals now because, number one, it’s very easy to do … it can spread around really broadly … and because they’re using Bitcoin, the payoff is anonymous, so it’s very hard to find out who’s causing these things to happen,” Danahy said. “Simplicity, profitability and anonymity are the three legs for the perfect crime.”

 

 

What is WannaCry, and why is it so effective?

“What makes WannaCry different and why it spreads so rapidly is that it takes advantage of a vulnerability in an earlier released version of Microsoft software,” Danahy said.

WannaCry uses an exploit (a sequence of commands that starts an attack) to take advantage of this vulnerable software. The exploit was released about two months ago by a group called Shadow Brokers, who said that they took this tool from the National Security Agency.

Along with functioning as ransomware, WannaCry goes a step further, experts said, because a computer that is infected can connect to other machines that are also vulnerable to its rapid spread.

“Intelligence agencies can gain access to every computer they want — that arsenal tool was leaked,” Serper said. “The perpetrators used some of the tools that were leaked and basically just had the ability to run code on a lot of computers around the world,” and then used the ransomware to encrypt data from all of those systems.

Why was there a vulnerability in Microsoft, and what’s been done? “Software in general is remarkably complicated; there are millions and millions of lines of code,” Danahy said. “Sometimes as humans, we make mistakes in the way in which we write the code.” That creates a bug, whether in the functionality of the software or in its security. Then the company issues a “patch” to fix those problems.

“Microsoft is very responsive in that way,” Danahy said. “As soon as a vulnerability was known, they fixed it and issued a patch, which is really an update for the code."

Microsoft actually released a patch for this security vulnerability back in March. So why were so many people affected now?

Basically, “people are always ignoring security updates, or if it says you have to restart your computer, they say, ‘I’ll do it later,’” Serper said. “It’s very, very important, I can’t stress enough, to always keep your machine up to date.”

So people just didn’t update their computers?

Pretty much. WannaCry affected some systems that were still using Windows XP, an operating system from 2001. That means those computers haven’t been updated in years.

Microsoft actually doesn't even service XP anymore because it’s so outdated, Serper said, but in the wake of WannaCry, Microsoft had its engineers create a patch for Windows XP as well so those using that system can protect it from that vulnerability.

Danahy noted that it is difficult for places like hospitals to worry about replacing their computers and staying up to date when they’re still able to do their work on older machines and with older software. But as hard as it is for businesses to keep up, he said, it’s crucial for their protection.

Who is vulnerable and what do you do if you’re affected?

Anyone using Windows is vulnerable, experts said — Apple and Linux operating systems are not affected — and that really means anyone, from your home computer to entire hospitals or basically any company network (that uses Windows) around the world. 

If you get the alert that you need to pay for your data back, Serper said that he highly recommends you don’t pay the ransom.

“In this specific case with WannaCry, other researchers have proven that if you pay the ransom, nothing happens,” he said. “A few engineers looked at the code and found that there’s no real way for [the hackers] to know that you’ve paid.”

With ransomware in general, it’s always a company’s own complicated decision to make about whether or not to pay, Danahy said. If your business simply can’t go on without this data, that’s one thing, but if your employees wasted time that could have been spent doing work because they had to set up a Bitcoin, it may not be worth it, he said.

Still, if you’re confronted with this, download the Microsoft patch, experts say.

I use Windows, but I wasn’t affected by this — am I still at risk?

You're still vulnerable to new attacks because they're being modified all the time. Too many people think about what to do only when it first affects them, Danahy said, so if you came out unscathed this time, “learn from the pain of others.”

“Hopefully, the widespread reporting will open the eyes of people who maybe didn’t get mauled by it this time, so they can say, ‘What steps can I take to make it much less likely for me to get hit going forward?’” he said.

Serper echoed this, warning people to “always be prepared for the worst.” To be prepared, continuously back up your files and always update your computer software and any anti-virus protection.

If you can back up your files so you can recover your data in the most up-to-date way, there’s no need for you to pay money to get that data back.

You can also use technology in the middle of those steps, Danahy said, that does behavioral analysis that will recognize attacks when they first start. Serper recommended Cybereason’s Ransomfree, a free download that analyzes the way things are acting on your machine to know if there’s a malicious program or file and stops anything from encrypting files immediately, he said. 

And lastly, always be careful about what links you click on, whether from email attachments or downloads, because you want to make sure it’s from a trusted source, experts note. 

WannaCry is slowing down though, so is there still reason to worry?

In a word: Yes.

While the spread of WannaCry was slowed when a researcher in the United Kingdom accidently tripped its “kill switch,” that fix can easily be circumnavigated by the hackers, Danahy said.

If you were only affected in a small way, also, it doesn’t mean you’re safe. For example, if only your photos were encrypted, that doesn’t mean your documents are protected, it just means you were lucky. Update your system to protect anything from encryption.

Plus, Danahy said, there could be more to come. Remember the exploit that made WannaCry so pervasive to so many different computers by taking advantage in the software’s vulnerability? “The people who released these exploits into the wild had gone silent for some time and just popped up again following WannaCry,” Danahy said. “We see that they’re now saying that they’re going to be selling new exploits starting in June.”

But if people learn from this experience, which infected more than 300,000 computers, experts say they can better protect themselves against the next attack. When new exploits come out and fewer people are affected because they updated their software and anti-virus systems, then the less overall impact the cyberattack will have.