Friday, May 12th, the “WannaCry” network worm joined the ranks of Conficker and Code Red. It’s infected tens of thousands of systems worldwide, and climbing. Among those victimized were England’s National Health Service, automobile manufacturers, and government systems. The worm’s ominous red ransom screen, informing the user that all files have been encrypted, was found not only on users’ desktops, but also on ATM screens, parking meters, digital billboards, and industrial control systems interfaces.
College textbooks on computer security have a table of terms for malicious software, including “virus,” “worm,” “Trojan horse,” and (more recently) “ransomware.” Neatly-defined categories are useful when a professor wants to give a multiple-choice test, but the real world is no longer so well-defined. WannaCry combines the defining characteristics of both ransomware and worms.
The Dangerous Combination of Ransomware and Worms
A network worm is a type of malicious software that spreads from machine to machine, autonomously, typically using some common vulnerability. Worms that infect large numbers of hosts are not as common as other types of malware, since it requires a reliable exploit for a wide-spread vulnerability that has a public attack surface. The recent Server Message Block (SMB) vulnerability in Microsoft Windows has readily-available exploit code and, despite being patched in March by Microsoft, many organizations have not updated their systems with the fix. This gives WannaCry a target-rich environment in which to spread.
Most users and organizations are more familiar with ransomware than worms—in fact, many have first-hand experience. Combining the rapid and broad spread of a network worm with the damage and monetary demands of ransomware can make for a painful world-wide incident. In a post several months ago, I discussed the evolution of ransomware away from spreading mechanisms that rely on “tricking” the user, towards exploitation of IT infrastructure vulnerabilities.
Who is to blame?
The knee-jerk reaction of the security community is to point the finger at the victims: they should have already applied the patches that fix the SMB vulnerability. The patches have been available for a couple months now. Still some contend that this is not a realistic expectation. There are devices that cannot be patched easily by the end user (including medical devices and manufacturing equipment), and there is also software that must be tested extensively before being run on a modified operating system.
To Patch or Not to Patch
Should you patch? The answer to this seems obvious, but is more nuanced. When a security advisory is published, you should patch as many systems as you can, as soon as you can. The security industry’s advice to clients can’t end there, however.
You already know that patches occasionally cause as many problems as they fix: destabilizing systems and causing incompatibility with software and hardware. A balance has to be struck where the majority of systems—those running typical desktop software—get patched automatically and quickly, while testing is performed to determine if the patch is safe for the more mission-critical systems. A decision should be made for critical security advisories: is the risk presented by a new patch greater than the certainty of getting infected with something like WannaCry if the patch is not applied?
Implications of Not Patching
The decision not to patch a system, such as an old workstation connected to a medical imaging device, is not to be taken lightly. You might be forced to maintain a vulnerable software version by incompatibilities and lack of support by the vendor. That means you have to take further action to secure that system. Network segmentation and isolation are key elements of defending these systems. So implement firewalls and access controls that prevent other systems from communicating with these vulnerable devices unless they have an operational need to do so.
Future outbreaks of malicious software are likely to contain damaging and expensive ransomware payloads. Keeping up-to-date with operating system and software patches is important. When it’s not possible to patch, it’s your responsibility to implement security controls and intensive monitoring around the otherwise-vulnerable systems – or reap the consequences.