It’s a lot harder for huge companies to update their computer systems. (image: Flickr/ Christiaan Colen)The WannaCry 2.0 ransomware is still crippling computer systems and networks around the world. The malware, which hit the web on Friday, has impacted everything from automakers to the U.K.’s National Health Service, by locking down their Windows PCs and demanding a ransom of $300 in bitcoins in return for the codes to unlock them.
So how did such large companies and public services fall victim to WannaCry 2.0? Well, contrary to popular opinion, it’s certainly not because they’re fools.
Updating isn’t so easy
The WannaCry ransomware is widely believed to use a vulnerability in Microsoft’s (MSFT) Windows operating system, which the National Security Agency knew about and kept secret. In April a group of hackers called The Shadow Brokers, said it stole the vulnerability along with a slew others from the agency, and posted them online.
The makers of WannaCry then used that vulnerability and weaponized it in the form of ransomware that spreads through computer systems like a worm, infecting more and more PCs as it moves.
Microsoft, however, released a patch for the vulnerability for most versions of Windows well before WannaCry hit the internet. A follow-up patch was released for its long-discontinued Windows XP after the software giant recognized the scale of the attack.
So, why didn’t every company and institution immediately update their systems? As McAfee CTO Steve Grobman explains, it takes more time for huge organizations to update their computers than it does for you or me.
“Some of the organizations that were negatively impacted by [WannaCry] have delayed releasing patches, because they were still performing compatibility tests, and were working through those before deploying the patch,” Grobman explained.
Organizations like hospitals, for example, run specialized software on top of Windows to do things like keep tabs on patients’ records and medications. So they can’t run the risk of installing a new Windows patch that may or may not be compatible with their own programs.
After all, if you see a Windows update is incompatible with one of your programs, the worst that happens is you have to wait a few days for a new update. A hospital or factory, on the other hand, could be out of commission for days.
“It’s not simply organizations not wanting to patch,” Grobman said. “Sometimes there are real risks of deploying a patch when there are compatibility issues in their environment.”
A perfect storm
According to Grobman, what makes the WannaCry 2.0 ransomware so dangerous is that it’s an almost perfect storm of vulnerabilities and implementations coming together. That makes it extremely contagious.
“What’s unique about this piece of ransomware is it’s taking advantage of a wormable vulnerability that is exploitable on Windows clients,” he said.
Essentially, the malware makers took an known exploit for Windows software and packaged it as a worm that was able to crawl across networks, infecting each computer it touched. The ransomware then locked down those machines when it was activated. The fact that companies weren’t able to deploy Microsoft’s patch for the initial vulnerability was a huge boon for the malware’s creators.
“We haven’t seen those planets align that frequently,” Grobman said.
The good news, if there is any, is that companies unaffected by the WannaCry ransomware might be able to speed up the implementation of the appropriate patches to protect themselves from the software.
Impacted companies, however, aren’t so lucky. If they didn’t have backups of their files that were encrypted by the attack, they may have to simply start from scratch.
The lesson here? Never open emails you aren’t expecting or from people you don’t know.
More from Dan:
Email Daniel at firstname.lastname@example.org; follow him on Twitter at @DanielHowley.