Why WannaCry Ransomware Took Down So Many Businesses
SAN FRANCISCO — Not everyone was surprised when ransomware infected 300,000 machines in 150 countries.
The ransomware, called WannaCry, targeted businesses running outdated Windows machines. It leveraged an exploit — a tool designed to take advantage of a security hole — leaked in a batch of hacking tools believed to belong to the NSA.
Microsoft released a patch to fix the exploit in March. But here’s why the attack spread so rapidly: Many major firms like healthcare and telecom organizations are running “legacy software,” or old, outdated technology that no longer receives software updates.
Legacy tech is often found at big organizations, whose sheer size makes implementing new upgrades a costly and time-consuming task. But without the ability to receive security-focused software updates, those systems are left at risk.
“We’re looking at many decades of building complex systems — one on top of the other — with no effort to go back to fix what we did wrong along the way,” said Wendy Nather, principal security strategist at Duo Security, who has worked in security for 22 years.
The WannaCry infections were so bad that Microsoft, in a surprising move, released a patch to update old, unsupported Windows systems.
WannaCry has largely been mitigated, but there are still hackers using the same exploit to infect computers — showing not everyone is able to fix their systems quickly.
On Wednesday security firms Bitdefender and Proofpoint found hackers using the same exploit to spread cryptocurrency-mining malware called Adylkuzz. It secretly puts itself on computers and uses processing power to generate units of a digital currency called Monero.
Security experts have long warned about attacks on large numbers of unpatched systems, and while there’s a slow migration to newer systems, it’s not moving fast enough.
Unlike office furniture that can sit in a conference room for years without being touched, technology requires constant maintenance and upgrades. But, Nather said, there’s a prominent mindset that if the tech works just fine, there’s no real need to update it.
WannaCry was so effective because layers of outdated technology and improper security maintenance has accumulated over the years, according to Dan Tentler, CEO and cofounder of The Phobos Group.
Both hardware and software vendors often fail to account for future security flaws, and they sell firms expensive systems that eventually won’t be able to receive patches. As operating systems age, more potential viruses and malware are created to target them.
So if an employee accidentally infects one computer with something like WannaCry, it could take down an entire firm’s infrastructure.
For some enterprises, by the time they transition from legacy tech to modern systems, the “new” tech is already outdated. Businesses have to meet certain regulations and agreements with vendor partners — all of which can can take years.
While the federal government mostly avoided WannaCry infections, its processes highlight how hard it is for large organizations to modernize. The U.S. government still uses tech five decades old; it spends more than $60 billion on legacy technology, and just $20 billion on modernization efforts.
In fact, David Powner, director of IT at the Government Accountability Office, says some federal agencies pay programmers more to learn outdated languages, just to keep old systems functioning.
Though the WannaCry worm was one of the largest cyberattacks in history, it still might not be enough to shift everyone off old technology.
“Anytime something like this happens, we wonder if this will be the tipping point. It never happens, because there are compelling reasons to stay the way it is,” Nather said. “[To] overcome that, it’s going to have to be a critical mass of life-threatening situations with software, much more frequently.”