If history is any indication, all you need to unleash a memorable and highly debilitating cyberattack is some government hacking tools, an unpatched system, and some devious North Korean operatives. And in the case of WannaCry Ransomware, which did precisely that, it is possible to effectively paralyze one of the most vital industries in the nation—namely, healthcare. And unfortunately for the healthcare sector, they were (and still are to some extent) one of the non-secure digital environments in the nation.
Essentially putting the word “ransomware” on the map, the black hat campaign now infamous known as WannaCry expanded its abilities through knowledge of past threats, creating a more sophisticated attack lovingly dubbed “crypto worm,” which sounds as nasty as it is. As a particularly destructive malware derivative, it first came on the global radar in 2013 under the moniker CryptoLocker, where it set the tone for upcoming attacks by restricting access to infected computers and holding their data for ransom—that is until a hefty sum was paid in untraceable bitcoin. As the first major player on the world’s stage of ransomware threats, it taught WannaCry a few key tricks.
A New Breed of Malware Is Born
CryptoLocker’s mission was simple—to encrypt a user’s files without permission and extort money from the enterprise. But what made the whole event so mind boggling was not the ransom amount or the malicious intent, it was simply that no one had ever seen a data breach quite like it in scope and size. And once executives realized the severity of the situation—that they may never regain control of certain highly valuable files—they quickly became desperate to beat it.
So, when WannaCry appeared on the scene in 2017, it had much of the same look and feel as CryptoLocker, yet it’s goal was a lot more malicious. Instead of taking business-related data hostage, this new worm turned its attention to accessing the sensitive information of medical patients in the U.Ss, which we all know is often vital to the care people receive, the medicine they need, and a medical institution’s ability to provide proper care. When thinking about it this way, it’s easy to see why the new form of ransomware was nicknamed WannaCry—because it created a lot of fear and panic for both medical providers and their patients.
WannaCry Shows Its True Colors
This memorable WannaCry Ransomware attack in May of 2017 infected more than 230,000 computers across 150 countries and incurred damages in the billions of dollars. It targeted computers running the Microsoft Windows OS and spread itself through an older Windows exploit named EternalBlue, which was initially developed by the infamous hacking group known as “The Shadow Brokers.” As a self-spreading network worm, WannaCry used a transport code to scan for vulnerable systems, then employed the EternalBlue exploit to gain access and plant a backdoor tool first developed by the NSA called DoublePulsar. And let’s not forget—if the NSA had shared their knowledge of this vulnerability with Microsoft instead of hiding it for their own self-promotion, this healthcare nightmare could have been avoided altogether.
WannaCry swept the globe, virtually shutting down dozens of regional health authorities, including the National Health Service of the U.K. At the same time, WannaCry was also affecting other unrelated entities like the telephone service, the railway system, car manufacturers, some universities, and the Russian Interior Ministry. As of summer, 2017, there were still two large, multi-state hospitals being negatively impacted in the U.S., as doctors were continually restricted from accessing the files of their own patients.
This blocking of health files was not just a hassle—it actually forced the closure of several emergency rooms and limited the amount of resources available to genuinely sick and dying individuals. And because some expensive hardware, such as MRI scanners, could not have their systems immediately updated, these valuable devices were isolated from the main network and rendered useless. And while hackers are not know for their compassion, targeting victims with cancer and other terrible diseases, who depend on patient databases to get the medication and treatment they need, established a new low point in the world of internet crime. And even though WannaCry only managed to bring in a measly 31 bitcoin, equaling $55,000 in ransom money, it stands as a warning to anyone who scoffs at the power of digital malfescience.
WannaCry Could Have Been Prevented
The purpose of WannaCry ransomware was not nearly as exciting as the exploit itself. Like most digital breaches, it could have been prevented altogether through effective use of certain software patches. In fact, Microsoft hadf released such a patch right before the WannCry exploit, although the organizations most affected had failed to apply them or were using an older Windows system with limited shelf life. Healthcare organizations were particularly vulnerable because their overall awareness about email authentication has lingered in the dark ages. And WannaCry brought this reality to the nation’s attention—that the healthcare industry was in dire need of better cybersecurity, including system hardening and better infrastructure. But the given their current state of negligence, the question lingers about whether they actually learned their lesson.
Although investigators first assumed WannaCry had arrived in the form of a phishing attack, it soon became clear they were only dealing with a network worm. Essentially, the breach was a three-pronged assault, first starting with a remote code execution which allowed the malware to gain advanced user privileges. From there, the payload was unpacked and executed. Once computers were compromised, documents were encrypted and ransom notes displayed. Once defined, the worm generated random IP addresses that allowed malicious SMB packets to be sent to the remote host, thereby spreading itself.
There were three key factors that contributed the stealth of WannaCry:
- Upon infection, certain code allowed the virus to move across networks without any need for human response or action. No suspicious links were necessary.
- The breach took advantage of a vulnerability in the OS that many organizations had not patched against, essentially moving past the first line of security without a second thought.
- Organizations using legacy versions of Windows XP did not have existing support from Microsoft, as they had discontinued their patches for older systems. In light of this attack, Microsoft began protecting these outdated systems as well—but at an extra cost.
Did We Learn Our Lesson?
All ransomed files were eventually recovered from the WannaCry attack, and patient information along with treatment data was reinstated. But to solve this data disaster, many updates were necessary, and the OS and all critical applications had to be re-installed. And fortunately, when Microsoft released its emergency patches, a kill switch was discovered that prevented infected computers from spreading WannaCry further. It was at this point that security experts from the U.S., the U.K., and Australia traced the initial attack worm to agencies in North Korea.
These same digital experts now recommend all cybersecurity executives protect from future ransomware attacks by ensuring their organizations have proper email authentication, as it only takes one click to bring about disaster for an entire industry. The WannaCry breach should be a wake-up call for all online entities to lock their front door by redoubling their security efforts, hardening their systems, and implementing best practices. All IT departments should install scanning software that blocks any suspected files.
Don’t Wanna Cry? Remember This:
Backup your critical files to avoid disruption. If you don’t WannaCry will likely be called “Ocean of Tears” in the future. And if healthcare is the victim once again, it may also spell the end for certain unlucky patients. Here are some warning tips to remember:
- Conduct thorough black box penetration testing!
- Train users in system security!
- Educate would-be experts!
- Watch for mutations!
- Know your cloud storage capabilities!
At the end of the day, there is no silver bullet to protect against malware. But there is knowledge, information, and history—so don’t forget to use it.
Related Resources:
Ransomware Prevention Tips for Healthcare Industry
Fileless Ransomware- An Emerging Threat