Friday, 19 May 2017

Bruce Schneier's Blog: WannaCry Ransomware

Schneier on Security
Blog >
WannaCry Ransomware

Criminals go where the money is, and cybercriminals are no exception.

And right now, the money is in ransomware.

It's a simple scam. Encrypt the victim's hard drive, then extract a fee to decrypt it. The scammers can't charge too much, because they want the victim to pay rather than give up on the data. But they can charge individuals a few hundred dollars, and they can charge institutions like hospitals a few thousand. Do it at scale, and it's a profitable business.

And scale is how ransomware works. Computers are infected automatically, with viruses that spread over the internet. Payment is no more difficult than buying something online ­-- and payable in untraceable bitcoin -­- with some ransomware makers offering tech support to those unsure of how to buy or transfer bitcoin. Customer service is important; people need to know they'll get their files back once they pay.

And they want you to pay. If they're lucky, they've encrypted your irreplaceable family photos, or the documents of a project you've been working on for weeks. Or maybe your company's accounts receivable files or your hospital's patient records. The more you need what they've stolen, the better.

The particular ransomware making headlines is called WannaCry, and it's infected some pretty serious organizations.

What can you do about it? Your first line of defense is to diligently install every security update as soon as it becomes available, and to migrate to systems that vendors still support. Microsoft issued a security patch that protects against WannaCry months before the ransomware started infecting systems; it only works against computers that haven't been patched. And many of the systems it infects are older computers, no longer normally supported by Microsoft --­ though it did belatedly release a patch for those older systems. I know it's hard, but until companies are forced to maintain old systems, you're much safer upgrading.

This is easier advice for individuals than for organizations. You and I can pretty easily migrate to a new operating system, but organizations sometimes have custom software that breaks when they change OS versions or install updates. Many of the organizations hit by WannaCry had outdated systems for exactly these reasons. But as expensive and time-consuming as updating might be, the risks of not doing so are increasing.

Your second line of defense is good antivirus software. Sometimes ransomware tricks you into encrypting your own hard drive by clicking on a file attachment that you thought was benign. Antivirus software can often catch your mistake and prevent the malicious software from running. This isn't perfect, of course, but it's an important part of any defense.

Your third line of defense is to diligently back up your files. There are systems that do this automatically for your hard drive. You can invest in one of those. Or you can store your important data in the cloud. If your irreplaceable family photos are in a backup drive in your house, then the ransomware has that much less hold on you. If your e-mail and documents are in the cloud, then you can just reinstall the operating system and bypass the ransomware entirely. I know storing data in the cloud has its own privacy risks, but they may be less than the risks of losing everything to ransomware.

That takes care of your computers and smart phones, but what about everything else? We're deep into the age of the "Internet of things."

There are now computers in your household appliances. There are computers in your cars and in the airplanes you travel on. Computers run our traffic lights and our power grids. These are all vulnerable to ransomware. The Murai botnet exploited a vulnerability in internet-enabled devices like DVRs and webcams to launch a denial-of-service attack against a critical internet name server; next time it could just as easily disable the devices and demand payment to turn them back on.

Re-enabling a webcam will be cheap; re-enabling your car will cost more. And you don't want to know how vulnerable implanted medical devices are to these sorts of attacks.

Commercial solutions are coming, probably a convenient repackaging of the three lines of defense described above. But it'll be yet another security surcharge you'll be expected to pay because the computers and internet-of-things devices you buy are so insecure. Because there are currently no liabilities for lousy software and no regulations mandating secure software, the market rewards software that's fast and cheap at the expense of good. Until that changes, ransomware will continue to be profitable line of criminal business.

This essay previously appeared in the New York Daily News.

Posted on May 19, 2017 at 6:10 AM • 18 Comments


Vicente Aceituno • May 19, 2017 6:29 AM

Bruce, I would argue Backup is first line. Having a copy of your data will protect your from the consequences of ramsonware, and many other threats. Second line would be AV (which will protect you about many viruses, but not all), and the third would be patching, for viruses that AV can't catch....

Santa Claus • May 19, 2017 6:35 AM

wrong - first line of defense is don't click on attachments or links from anyone

Joachim • May 19, 2017 6:45 AM

It's mirai and not MURAI! :)

I'd say awareness first, backup second and protections such as anti virus third

PJWillie • May 19, 2017 6:47 AM

Backups of your data is fine but I have backups of my operating systems ; thats why I use open source. If needed I can just erase the disc and reinstall my OS & data.

Steve B • May 19, 2017 7:12 AM

Cloud backups: if the contents of "my documents" is synchronised to a cloud supplier, if the files are then encrypted on my PC won't the synchronisation software simply copy the encrypted files up to the cloud?

Ben • May 19, 2017 7:12 AM

Backup is always first-line, because it's defence against everything, not just ransomware. Anti-virus doesn't fix a broken hard drive.

brian • May 19, 2017 7:16 AM

@PJWillie how is open source different than MSFT & Apple OS for backup of the OS? You can do the same on open source and non for backup of the OS.

Andrew • May 19, 2017 7:19 AM

True, the backup should be versioned, not synchronized.
If the malware encryption driver shows you the files "clean", you may overwrite the good files on synchronization, although they are encrypted.

Andrew • May 19, 2017 7:21 AM

I just realized that I might be wrong (or it may depends on situation). If the malware detects copy on a USB stick, it may leave it encrypted or not...most likely encrypted.

Bruce Schneier • May 19, 2017 7:23 AM

I put backup as the last line of defense because it happens late in the process: it doesn't prevent, but allows for recovery. But I'm willing to accept arguments that I should have reordered the list.

And, yes, I should have added "don't click on strange attachments."

Garrett • May 19, 2017 7:24 AM

@Joachim I saw that too, but wasn't sure off the top of my head. Mirai is Forever in Japanese. Malware naming is funny - when I used to write some, it'd always get a name. Though it'd probably have a different one from software vendors as they usually pick a significant string from the disassembly (not that I ever released mine)

I think the /security/ model for your typical desktop should be different; it's not been adopted yet. Mostly speaking to Windows.

First, virtualize everything - app level is fine (see: sandboxie). Processes get their own storage spaces and are isolated to them. If they need more access, you can grant that. (Imagine a commdlg hook that created a OpenFile permit rule upon opening. Have a few advanced options that let you specify fusion and type of the grant (rw/ro). They can only communicate with certain hosts (based off of a security manifest). "Etc". So, executing a random .js file cannot nuke your entire /Users/ directory (unless you say yes to that liberal rw permission upon install or execution)

Attack surface area of drivers should be reduced; UMDF can help that. Get stuff like SMB and HTTP out of the kernel. Seriously, it doesn't need an RSS reader!!! The Service Accounts in 8+ is FINALLY getting rid of everything being LocalSystem.

Beyond that, ditch sig based virus detection. I think that a service that acts as an ETW logger, combined with a strong detection engine, could detect most 'funny business'.

Finally, a heuristic firewall at the edge of your network. Rules set up via a protocol similar to UPnP, except you have to permit it (nice little popup on your desktop, via broadcast notification.). Internet Access by default is bad, especially on any port, to any port, to any host! To make this easier to manage, multiple SSIDs, to make 'IoT'/'Guest'/'Internal' networks by default.

ygonzar • May 19, 2017 7:24 AM

Monitoring the filesystem activity could be considered as another line of defense. It could be thought as a very reactive solution, true. It also depends on the user understanding what the monitoring tool annoying pop ups are trying to convey. But maybe is worth a look.

Marc Espie • May 19, 2017 7:38 AM

I commented so on the HP keylogger, but I'll do it again, we need more openness!
Liability is fine, but basically, a lot of this can happen, because a lot of that shit is closed: closed processes, closed source.

This is *exactly* the same as cryptography. Good cryptography happen after peer-review. But right now, you can't even review most of your electronics and computer software.

I'm not clamoring for fully open source. I have no problems with copyright law per se. But source code should be visible, and auditable by anyone. Likewise, audit trails for processes leading to creating software.

There are a lot of organizations in the opensource world that are fully open, including buildbots, test infrastructure, shipping infrastructure, so it is possible. I don't even think it costs more, because this saves some important costs later.

The conversion of existing codebases would be awfully costly, in many cases because there is no technical documentation, and a lot of stuff has been lost.

But once you make it mandatory for any new stuff, you'll be surprised at the amount of awful stuff companies can no longer do. If you're out in the open, you tend to publish less crappy code, because it becomes part of your reputation.

Dirk Praet • May 19, 2017 7:50 AM

... but organizations sometimes have custom software that breaks when they change OS versions or install updates. Many of the organizations hit by WannaCry had outdated systems for exactly these reasons.

Identification of such systems is an intrinsic part of the job description of whoever is in charge of asset and risk management. If there is no budget to upgrade such systems, a full report of the risks associated with not doing so not only should be presented to the board of directors (and signed off by them), but a mitigation strategy should also be put in place as an integral part of the company's disaster recovery plan (DRP) and business continuity planning (BCP), both of which need to be compliant (and successfully tested) with acceptable downtimes as previously set forth by department managers in a company-wide business impact analysis (BIA).

Whatever technical controls you have in place (backups, anti-virus etc.) will fail when disaster strikes if such controls are not part of a comprehensive IT strategy defined in appropriate policies and procedures corresponding to your company's specific risk profile. If you have no idea what I'm talking about, you're probably doing it wrong 8-)

Clive Robinson • May 19, 2017 7:53 AM

Regular backups are the main recovery mechanism.

But do people check them?

Generaly no, and that's a real problem.

Aside from the usuall faults mechanical / software / electronic, there are other nasties awaiting you. Some years ago when data ransom was something manually done by disgruntaled SysAdmins etc, I mentioned that backups were vulnarable to a malware attack where the backup software got modified to encrypte the backups and then "forget the key". I've not seen it happen yet, but it's the next logical step for attackers...

Vasili • May 19, 2017 7:54 AM

Regarding updates, MSFT did its best to repel users from this choice.

Last year they ran aggressive Windows 10 update campaign using WSUS channel.
From my experience, it repelled many of non-IT users from running updates automatically.
Yes, this campaign is over, but guess how many users restored automatic updates - almost none.

Another thing, Windows Update implementation is plain awful.
At least on my laptop Windows Update database gets corrupted regularly and WSUS starts to eat a lot of CPU and battery.
So, what I do in this case - correct - I disable WSUS service. Of course, I'll enable it someday when I find free time to fix the problem, but, at least couple of weeks my laptop will stay not updated.

And, sometimes updates just fail to install with some cryptic error code.
In my case, this happened to April Security rollup update, which contained WannaCry fix.
There was no error message about this - just a line in Windows Update log.
Last Saturday when I checked is my laptop is protected from WannaCry - it wasnt.
So, instead of enjoying weekend I was trying to download this fix from almost DDOSed MSFT web site.

With its update service, MSFT confirms the idea that the biggest trade secret of closed source software is the quality of its code
Clive Robinson • May 9, 2017 8:07 AM

@ Bruce,

Whilst I might agree backups are the first step to recovery, the first step to defence is not patching / AV / etc.

No the first step is asking why the systems are connected to a network in the first place? If you need a network connection the second is to ask if the scope of the network is to broad both in the machines connected and the types of daya carried.

The simple fact is a small network with no external connections is not exactly an easy target for malware in the first place.

For some reason that has never been clear there is an assumption that firstly the Internet is a requirment for all users, the second that things like EMail should be "media rich". In most cases these are both false assumptions.

Jason • May 19, 2017 8:15 AM

"And you don't want to know how vulnerable implanted medical devices are to these sorts of attacks."

Yep- for example, your article just gave folks with pacemakers a heart attack. :D

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.

About Bruce Schneier
Bruce Schneier

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I write books, articles, and academic papers. Currently, I'm the Chief Technology Officer of IBM Resilient, a fellow at Harvard's Berkman Center, and a board member of EFF.
Related Entries

Featured Essays

    The Value of Encryption
    Data Is a Toxic Asset, So Why Not Throw It Out?
    How the NSA Threatens National Security
    Terrorists May Use Google Earth, But Fear Is No Reason to Ban It
    In Praise of Security Theater
    Refuse to be Terrorized
    The Eternal Value of Privacy
    Terrorists Don't Do Movie Plots

more essays
Blog Archives

    Archives by Month
    100 Latest Comments

Blog Tags

    privacy terrorism surveillance squid academic papers NSA hacking air travel national security policy cryptography law enforcement encryption DHS homeland security economics of security crime Schneier news malware essays TSA computer security laws fraud vulnerabilities psychology of security police courts cell phones cost-benefit analysis authentication

Post a Comment