Ransom scare by Damien Behan, Brodies
This article was originally featured as an opinion piece in the July 2017 issue of Briefing. To read the issue in full, download Briefing.
Malware – malicious software that causes problems on your computer – is nothing new. Viruses have been infecting computers for almost as long as they have existed. However, while we’ve seen exponential technological progress in recent decades, the murky world of malware has similarly evolved from an annoyance into a lucrative industry. Ransomware is the latest – and the most prolific – incarnation, which has allowed organised criminal gangs to monetise malware, and is now a major concern for organisations.
So how and why did the recent WannaCry variant of this attack turn backroom IT into front-page news?
As the name suggests, ransomware holds the data on your computer hostage by encrypting photos, documents and emails, then demanding money to unencrypt them. The financial transaction is kept private and untraceable through use of the digital currency Bitcoin. So, from the cybercriminal’s perspective, it’s a no-brainer. It’s potentially lucrative, and there’s little risk of being caught, it’s easy to spread (generally via phishing emails) – and it’s difficult to detect.
On a Friday in May 2017 reports emerged of businesses across the globe being hit by WannaCry ransomware. But what was unique about this attack wasn’t only the widespread nature of the infection, but also the type and origin of the vulnerability it exploited. Rather than spreading by email links or attachments, it targeted open external ports and then silently infected machines across the network via a vulnerability in Windows. In fact, Microsoft had issued a security patch – a software update to fix it – as recently as March, but infections came to light in May. Therein lies the crux of the problem: those that had patched their computers were protected, while those that hadn’t hit the headlines – in particular, parts of the NHS.
So, why didn’t everyone just apply the patch in March? Patching is a time-consuming activity, and it has to be done on a monthly basis as new vulnerabilities are identified and fixed. For an IT team that’s already stretched, that means it can be bottom of the list – and if investment in IT security isn’t prioritised, it’s seen as admin you can let slip.
Ironically, WannaCry will help cybersecurity – in that, if it wasn’t already, it has now become a board-level concern. It demonstrated that security breaches can interrupt your business – or your hospital – and that those seemingly boring backroom tasks are actually the front line in breach prevention.
Cybersecurity is an intangible, a bit like insurance: you don’t see the value of it until you have a problem. That can make it a hard sell to boards in times of uncertainty, but the legacy of WannaCry may just be to show that those with responsibility for security aren’t crying wolf. They’re trying to avoid real future tears.