I'm a cyber security specialist. This is what I can tell you about the global malware attack – and how it will evolve

There are many interesting features in this ransomware that are relatively novel or that we have never seen before. For starters, you don’t need to do anything stupid to get infected

Julio Hernandez-Castro
Wednesday 17 May 2017 12:29 BST
Comments
'It will happen again, and next time it will be worse'
'It will happen again, and next time it will be worse' (EPA)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

The WCrypt ransomware has affected an estimated 200,000 computers across the world and continues to do so. It has so far made around 26.11 bitcoins for the criminals behind it, which at the current bitcoin value is approximately $44,900 (£34,800). Of course, these figures are bound to increase over the next three to six days.

There are many interesting features in this WCrypt ransomware that are relatively novel or that we have never seen before. For starters, you don’t need to do anything stupid to get infected. You don’t need to click on a suspicious link or open an email attachment to get your files encrypted and held to ransom. It uses a vulnerability, with a patch available since 14 March, that allows Windows machines to infect and get infected via SMB, the protocol used to share folders and files, print, and so on. It also has other worm-like features that allows it to attack not only local computers but those situated in other networks or countries.

Theresa May praises NHS staff in wake of cyber attack

WCrypt is unique in multiple ways. For example, in the past, we were used to ransomware campaigns being launched against a given company, or sector, or even country. This had many advantages for the cyber criminals: typically only one law enforcement agency will be called, they will keep a low profile, the resources devoted to the investigation and attribution will be limited, and the chances of the ransom paid quite high, as institutions could sometimes get out without any reputation damage. WCrypt has gone nuclear in this respect, attracting the unwanted attention of many law enforcement agencies and industry and making them collaborate and coordinate in previously unseen fashion.

It is early days yet, but it seems that the cyber criminals made some suboptimal design and coding choices. First, the amount of ransom that they request is probably too small.

Also, the by now very famous "kill switch" that has helped to slow down the spread of the malware is most probably a very primitive self-defence technique. It seems the authors did not realise this feature could be used to stop the malware from infecting more systems.

Of course this is only temporary good news as it is very easy for the criminals to correct this weaknesses and launch a new campaign without the kill switch. Apart from the authors, other cyber criminals can take the malware code and create copycats without this feature, to continue targeting more systems across the world.

So what have we learnt for the next time such an attack takes place?

Don’t pay

It’s not only the right, ethical, Kantian decision but the one that will reduce cyber criminals' profits and make it less likely that they will engage in similar attacks in the future. In addition to this, most law enforcement agencies and industry experts are fighting in unison against this malware, so I think there is a reasonable probability that they will catch the criminals and recover the keys or force them to give them away. Also, there is the possibility that they got the encryption wrong, as has happened many times in the past with other ransomware families.

The NHS needs protecting

There is an important lesson to be extracted from all this. The NHS is critical for the UK’s wellbeing and as such it should be protected adequately because otherwise these attacks will cost lives. Attacks will only get worse in the future, so we need proper IT resources, much better security and a backup policy that will guarantee that when the worst happens, trusts will be able to get back on track soon afterwards to continue saving our lives and those of our families and neighbours.

Many institutions, and unfortunately many critical institutions and infrastructures such as hospitals, firefighters, the police, and so on don't have enough resources to devote to cyber security. The Government should ensure this is done in a sensible and orderly manner.

It will happen again

And it will be worse. The binaries of the ransomware are there for all to study, modify and use. Creating it is not technically challenging. There will be copycats with similar capabilities and slightly different features.

That is why it is so important to patch your Windows systems, disable SMB and implement a proper backup solution that will guarantee recovery in case of catastrophic damage in hours – not weeks or months.

Julio Hernandez-Castro is senior lecturer in computer security at the School of Computing, University of Kent

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in