There’s no need for a breathless recap of the “ransomworm” that recently spread across the globe. WannaCry was the name given to this piece of malware, and it affected hundreds of thousands of devices across more than a hundred countries.
The interesting thing about this ransomware was that it was the first time in years that a strain of malware had exhibited successful “worm” functionality, using a vulnerability in Windows—specifically, in SMB 1.0—to spread across global networks without user intervention. Worm-ability had fallen completely out of fashion among the malware community, but WannaCry managed to bring it right back into vogue with a vengeance. Rather than rehash my thoughts on “the return of the worm,” I’ll link you to an earlier piece I wrote, WannaCry strikes—it’s Groundhog Day for IT security.
Perhaps the most interesting facet to note about the WannaCry outbreak is how prevalent it was within the British NHS, affecting as many as 70,000 devices in that organization alone. What was it that made the NHS so vulnerable to this particular malware?
In a word, legacy software. Whilst WannaCry’s scope was by no means limited to Windows XP, initially, no patch was released for Windows XP. (It’s not clear whether organizations that paid for extended support on Windows XP received the patch.) The NHS has a large number of devices still running XP, although the total number appears to be unknown. The NHS isn’t a single centralized unit—it is more a federated set of organizations covering everything from large NHS trusts right down to individual doctors’ surgeries—so conflicting statistics on its installed user base can be expected. Estimates say anywhere from 5% to 15% of endpoint devices are still using Windows XP. This also doesn’t take into account the fact that many NHS units use Windows 7 but run older applications on farms of “VM Hosted Apps,” essentially large pools of Windows XP machines that Windows 7 clients connect to simply to run remote applications. Given that the NHS employs over a million people—again, a number that is hard to accurately pin down due to the decentralized nature of the organization—you can see that there is potentially a huge swath of Windows XP devices still in use.
Windows XP went out of support in the first half of 2014. It remains the longest supported Windows-based operating system, having lasted fully thirteen years—much longer than Microsoft’s usual cycle. Just prior to the “end of support” date, I wrote an article suggesting ways in which enterprises could secure any devices that needed, for whatever reason, to continue running XP. But we’re now three full years past that, and if the WannaCry attack has taught us anything, it’s that some enterprises have ultimately failed in following any of the advice within that article.
The New York Times penned an opinion piece suggesting that Microsoft should make patches for vulnerabilities such as that used by WannaCry—an alleged NSA-hoarded vulnerability given the code name EternalBlue—available for unsupported operating systems. In this case, Microsoft did just that, and without any charges, killing rumours that it was interested in adopting a ransomware-like model of its own by demanding money for ad hoc patching on older OSes (and possibly opening itself up to criticism by encouraging intransigence amongst users of unsupported systems). However, to suggest that Microsoft should be bound by legislation to provide security patches for Windows XP in the future is a little disingenuous. If you owned a Ford Capri from the 1980s, would you honestly expect the Ford motor company to fit airbags to it for free?
In all seriousness, we really should have dealt with legacy software like Windows XP by now. Organizations like the NHS have complicated, mission-critical applications that literally mean the difference between life or death for people, but this is no excuse for being compromised in this way. The risks associated with seeing a systemwide shutdown of a country’s medical infrastructure surely pale in comparison with remediating application issues caused by incompatibility with supported operating systems.
Even more damning is the fact that there are technological solutions that can take incompatible applications and run them containerized on Windows 10. Cloudhouse, Numecent and Turbo.net are three of the main ones I’ve personally used to deal with problematic applications and run them seamlessly on Windows 10. And it doesn’t suffice to simply stand up legacy infrastructure like Citrix XenApp 5 farms and run the applications remotely from there, because not only does that negatively impact user experience, it simply moves the vulnerable legacy system from the user’s device onto a remote set of servers or clients. Even though there may be a reduction in risk, the shutdown of the core applications is still a distinct possibility.
Finally, it’s not just legacy software that has resulted in the WannaCry outbreak, although it does appear to be responsible for the main part of it. Other, supported, operating systems were also affected, and this was because of a failure to patch systems in a timely manner. Nearly two months passed from time the patch became available to the weaponization of the exploit, and in the modern world, this should be more than enough for testing and deployment. Now, Microsoft should accept some culpability here—after all, it has abused the Windows Update system to push unwanted upgrades and telemetry, rather than sticking to a specific channel for security updates—but there was more than enough time for enterprises to respond with either patch deployment or mitigation (such as disabling the SMB 1.0 attack vector). There is a lot of inertia when it comes to dealing with security vulnerabilities such as these, and maybe this is the wake-up call that many enterprises need.
Securing your environment isn’t a technical fix. It isn’t a case of throwing money at it. It’s a mindset that needs to pervade the business from top to bottom. Let’s hope that we all take enough notice to ensure that WannaCry is going to be the last “ransomworm” we see.