The message on the screen began with the jaunty, almost innocuous line “ooops, your files have been encrypted!” as if the user had made a silly mistake.
More likely it was the case that someone at or near the top of the organisation had made a serious error. They had been complacent about cybersecurity and they had been caught out.
The same message, soon familiar to more than 10,000 organisations in more than 150 countries, concluded with the down-to-business instruction “send $300 worth of bitcoin” in order for the magic decryption passwords to arrive. (Spoiler: they didn’t.)
This was a stick-up, and the gun was “weaponised malware” known as WannaCry – or Wcry, WannaCryptor, WanaCrypt0r, WannaCrypt, take your pick. Ransomware had been deployed globally on an unprecedented scale.
That was last Friday. Since then the world has been poised for follow-up cyberattacks, with experts warning that the perpetrators, plus any copycat attackers who fancied piling in, would unleash new variants, new strains.
Amid the sea of cybersecurity advice, the number one priority for every business was to do what many should have done before: deploy Microsoft's MS017-10 security update – a "patch" released in March for all operating systems that Microsoft still supports – as well as its critical security updates for the months of April and May.
"Patch and keep patching," says Barbara Bogdanescu, chief architect and product director for IT security firm Integrity360, which like every Irish cybersecurity firm worthy of the name has had a rather busy week. Patching, she adds, is the "preventative medicine".
Rattled
That the fears of last Sunday have been largely unrealised so far does not mean they have gone away. But to appreciate what has authorities worldwide so rattled, and why what happened is being described as a wake-up call for businesses and public institutions alike, it will help to understand the origins and nature of this WannaCry attack.
This cyberweapon was based on a US National Security Agency (NSA) hacking tool called EternalBlue, which it had been using for years. The tool exploited a flaw in Microsoft's software that Microsoft didn't know about until March, which was when the NSA decided to warn it. The NSA feared the tool had been stolen by a mysterious hacking group known as the Shadow Brokers, who had form in this regard.
A month later the Shadow Brokers leaked everything that even a novice hacker would need to repurpose EternalBlue for criminal use – in this case, turn it into a ransomware attack.
WannaCry’s spread was hastened by the addition to the tool of contagious “worm” functionality. This meant it could spread itself throughout networks without needing someone unsuspecting to click on an email link or attachment. But the unknown perpetrators were also critiqued by experts for their “sloppy coding”. They made “amateur” mistakes such as leaving a “kill switch” to be found and not really thinking through how they would manage bitcoin payments.
“There is a lot of discussion in the security world about why what was a very good tool to start with was combined with bad ransomware,” says Bogdanescu. “If they had waited, and got it right, this could have been a lot worse. This was unfortunate for the hackers, fortunate for us.”
Sophisticated criminals
What might happen should more sophisticated criminals get their hands on the stolen tools that the Shadow Brokers are now threatening to release in a "wine of the month club" service? Nothing good. Microsoft president Brad Smith compared what has happened to "the US military having some of its Tomahawk missiles stolen".
There is one difference, says Dermot Williams, managing director of IT security firm Threatscape. "Once a missile is fired all you have left are bits of metal lying on the ground." In this case the leaked "exploits" can be reverse-engineered by anyone who finds them and used time and again.
Williams mentions the very real possibility of an imminent “zero day” attack. This is one in which “the bad guys” know about a vulnerability before anyone else. “Those are the scary ones. Normally we have a head start.”
But if one thing has been proved by the WannaCry attack it is this: head starts don’t save everybody. “Some companies can take months or years to get around to patching all of their systems,” says Williams. As a result, not every business and organisation had acted on Microsoft’s earlier security updates.
And then there were those budget-constrained organisations, including the UK’s National Health Service, who were running legacy operating systems, notably Windows XP, that Microsoft no longer supported and had, therefore, been left out of the critical March patch.
The WannaCry hackers deliberately targeted these weakest links. In response, Microsoft made the unusual move last weekend of releasing a patch for Windows XP and other unsupported systems.
But this doesn’t mean it will now proactively issue new patches for XP on an ongoing basis – indeed, if such a policy was to encourage organisations to continue using older, fundamentally less secure systems it might be counter-productive for it to do so.
Microsoft stopped supporting Windows XP in 2014 . Why was it still in use today? Shouldn't the Health Service Executive (HSE) – which was not infected, but estimates that it has 1,500 computers running XP – and others not be getting the hell off Windows XP as fast as possible?
Budget constraints are, of course, the answer to the first question. Williams says a health service with medical equipment – an X-ray machine, perhaps – using Windows XP “may have no choice” but to keep using the system. “But people should really be plotting a course for how they can get off it. It’s just not secure.”
Focus minds
Cybersecurity experts all agree on one thing. The fallout from WannaCry should "focus a few minds", as it was put by Pat Moran, who leads PricewaterhouseCoopers' cyber practice in Dublin.
The cancelling of hospital procedures and appointments has given painful clarity and publicity to a growing phenomenon. Although Ireland was largely unaffected last Friday, small Irish law firms – another sector where there had been “underinvestment” in security – were just one target of ransomware hackers in 2016. Ransoms of up to €20,000 were reported.
Such incidents, however, are often kept on the down low by victims.
“One of the difficulties with this is that organisations don’t come forward to say they have been attacked because they believe their brand or reputation may be damaged,” says Moran.
They believe this with good cause. It is not a good look to be caught out by hackers – especially when businesses lose control of sensitive personal data. If it can be proven that they did not follow good practices, core brands are jeopardised, perhaps permanently.
Moran is aware of cases in Ireland where targeted small businesses have gone against the official advice not to pay ransoms. “These are four-figure or five-figure sums, which for an SME is quite a lot of money.”
With WannaCry it is not only inadvisable to “fuel the ransomware economy” by paying the ransom, it is pointless. Researchers have concluded that the perpetrators have no way of telling which victims paid up.
Ransomware hackers – and remember ransomware is just one type of cyberattack – have not only become more active, they are looking for more money than before. Symantec’s annual Internet Security Report found that ransomware detections in 2016 were almost double the recorded tally for 2015. The average ransomware payouts, meanwhile, swelled from $294 to $1,077.
Everything about this suggests cybersecurity should be rocketing up the priority list of chief executives at least as fast as cybersecurity stocks have seen their share prices rocket this week.
Payroll data
Cybercrime is a key business risk, and shouldn’t simply be regarded as a matter for IT staff to worry about, agrees Moran.
“When the proverbial hits the fan, and organisations lose access to business plans, payroll data and information about their best customers, and that all becomes publicly available, it’s not the tech guys who will be in the papers and in front of Oireachtas committees, it’s the CEOs.”
The good news for finance directors is that not every protection measure requires expensive capital investment.
“It is also about having good processes in place,” says Threatscape’s Williams.
Good processes are not that complicated for those in the know. As well as “prudent” patching they include regular back-ups (that are then disconnected from the network so organisations don’t simply end up with two versions of encrypted files).
Trying to run a business without data back-ups, says Williams, is “like trying to fly an aircraft with one engine”.
And while it now appears that WannaCry was a worm from start to finish, with no phishing email “hook” tricking users into opening a malicious attachment, cybersecurity experts still recommend strong “security hygiene” policies and staff awareness messages such as the HSE’s “#ThinkB4UClick”.
While it may be “all quiet on the Western Front for us”, as Williams says, worries persist that WannaCry was a near miss, and that, with so many aspects of our lives depending on connected systems, worse perils lie ahead.
At Integrity360, Bogdanescu cites last October’s DDoS (distributed denial of service) cyberattacks, which were the largest of its kind, as a taster of how hackers will in future exploit flaws in the cybersecurity of connected household devices.
This is cyberwar advanced not through computer terminals, but the so-called Internet of Things. “It may take the form of something like coming home and not being able to turn on and off the lights,” she says.
“I’ll be expecting an interesting summer.”