Over the weekend, businesses and critical services like banks, hospitals, telecommunications services and transportation hubs around the world were hit with a cyber attack that locked users out of their own systems using a form of ransomware known as WannaCry. The potential loss of data may lead not only to devastating financial loss, but also a much more tangible, immediate loss: patients in need of critical care are reportedly being turned away from two hospitals in the United Kingdom as access to patient records and capacity to run tests or conduct emergency medical operations were cut off. The Cipher Brief spoke with Todd Rosenblum, the Senior Executive for National Security Programs and Strategy at IBM, about what the potential impact of these attacks is, who the potential culprits could be, and why they were so successful.
The Cipher Brief: How significant are these reports of ransomware attacks simultaneously hitting organizations around the world?
Todd Rosenblum: It is quite significant in its scale and scope, but not in its sophistication. The number of affected countries is over 100 now and will continue to grow. The potential destruction of vast amounts of data is devastating for both the public and private sectors. The permanent loss of bank transactions, medical histories, system safety records, etc., has far reaching implications for national security.
TCB: Can we expect a single group or individual to be behind all the attacks? Is it possible that the perpetrator was a nation-state such as Russia, or is this method more reserved for criminal groups?
TR: We do not know who is behind the attack. Most likely it is organized crime and/or a cluster of like-minded underground software specialists, but we cannot rule out a state actor role in the conspiracy. North Korea and Iran are believed to be behind attacks that destroyed vast data stores of private and semi-private sector companies in the past, such as Sony America and Saudi Aramco.
Russia and China are among the locations of the most loss, so it does not appear to be sponsored by either state. Ransomware has been around for some time and has no geographical or ideological boundary. It is a tool to make money by holding a person's or organization's data hostage until money is paid for its release. It is most often associated with criminal enterprises pursuing illicit profit.
TCB: There are reports that the hackers leveraged an alleged NSA tool, despite it being previously patched by Microsoft, found in the Shadow Brokers leaks from April. How were the attackers able to use this tool?
TR: The attack method is actually nothing new. These attackers, like so many before them, know most people and organizations do not move fast enough to update their software to close holes in their networks. Attackers also know most of us remain vulnerable to spear phishing attacks in which users inadvertently upload malware onto their computers. Perhaps the size and scale of this attack will increase awareness about computer hygiene. There are so many easy things all of us can do to reduce ransomware's rate of success.
TCB: If this did leverage an NSA tool, but one that has already been patched but simply not implemented by the targets, what does this incident mean for the discussion over government responsibility to disclose vulnerabilities?
TR: This is a tough issue. Our overseas intelligence collection apparatus relies on a wide array of tools to access information vital to our national security. Moreover, many U.S.-based companies are really multi-national companies with an operational presence in hard target locations. There are times that we must tilt toward preserving access to foreign intelligence information because of the nature of the information, its immediacy, and lack of other means to collect it.
Still, these determinations must be made on a case-to-case basis and weighed carefully against the strategic need to maintain cooperative ties with U.S. technology companies, recognition that harming the business reputation of the U.S. is bad for our economic vitality, and that unpatched vulnerabilities are bad for overall internet integrity.
TCB: What happens now? Is all of this data lost, or do you anticipate the majority of organizations will pay the ransom to release their data?
TR: Much of the data will be lost if the deadline passes for ransom without payment being made. The hope is that anti-ransomware warriors can develop tools to break the encryption keys associated with the attack faster than the perpetrators can modify the elements of the strike. All should maintain encrypted back up data stores and be vigilant about patching software and migrating to modern platforms still supported by industry leaders.
