It will happen again – and next time it is likely to be worse
THE WCrypt ransomware has affected an estimated 200 000 computers across the world and continues to do so. It has so far made around 26.11 bitcoins for the criminals behind it, which at the current bitcoin value is approximately $44 900 (R595 000). This is bound to increase over the next three to six days.
There are many interesting features in this WCrypt ransomware that are relatively novel or that we have never seen before. For starters, you don’t need to click on a suspicious link or open an e-mail attachment to get your files encrypted and held to ransom.
It uses a vulnerability, with a patch available since March 14, that allows Windows machines to infect and get infected via SMB, the protocol used to share folders and files, print, and so on.
It also has other worm-like features that allow it to attack not only local computers but those situated in other networks or countries.
WCrypt is unique in multiple ways. For example, we were used to ransomware campaigns being launched against a given company, or sector, or even country.
This had many advantages for the cyber criminals: typically only one law enforcement agency would be called, keeping a low profile, the resources devoted to the investigation and attribution would be limited, and the chances of the ransom paid quite high, as institutions could sometimes get out without any reputation damage.
WCrypt has gone nuclear in this respect, attracting the attention of many law enforcement agencies and industries and making them collaborate and co-ordinate in a previously unseen fashion.
It seems the cyber criminals made some suboptimal design and coding choices. First, the ransom they request is probably too small.
The very famous “kill switch” that has helped to slow down the spread of the malware is probably a primitive self-defence technique.
It seems the authors did not realise this feature could be used to stop the malware from infecting more systems.
This is temporary good news as it is very easy for the criminals to correct this weakness and launch a campaign without the kill switch.
Apart from the authors, cyber criminals can take the malware code and create copycats without this feature, to continue targeting more systems across the world.
There is an important lesson to be extracted from this. The National Health System (NHS) is critical for the UK’s well-being, and it should be protected adequately.
Attacks are likely to get worse in future, so we need proper IT resources, better security and a back-up policy that guarantees that when the worst happens, trusts will be able to get back on track soon afterwards to continue saving lives.
Many critical institutions and infrastructures such as hospitals, firefighters, the police and so on don’t have enough resources to devote to cyber security. It will happen again, and it will be worse. The binaries of the ransomware are for all to study, modify and use. Creating it isn’t technically challenging.
There will be copycats with similar capabilities and different features. That is why it is important to patch your Windows systems, disable SMB and implement a back-up solution that will guarantee recovery in case of catastrophic damage in hours – not weeks or months.
Julio Hernandez-Castro is senior lecturer in computer security at the School of Computing, University of Kent. – The Independent