WannaCry Ransomware Outbreak Impacted Less-Prepared Organizations, Experts Note
The massive WannaCry ransomware outbreak that began May 12 has led to allegations that some organizations – especially in the public sector – were less well-prepared for the attacks, perhaps on account of inadequate IT investments or the use of outdated and unsupported Windows operating systems.
See Also: 2017 Predictions on Data Security: Insights on Important Trends in Security for the Banking Industry
In Britain, for example, the National Health Service, or NHS, has vigorously denied reports that its systems were so widely infected on account of widespread Windows XP use.
Windows XP remains the world’s third most-used operating system, accounting for 7 percent of all endpoints, compared to Windows 7 at 49 percent and Windows 10 at 26 percent, according to market researcher NetMarketShare. Microsoft, however, stopped supporting XP with security updates and patches in 2014. Likewise, Microsoft stopped supporting Windows 7 in 2015, although pricey extended support contracts remain available.
Regardless of what operating system is being used, widespread infections at NHS trusts in England and Scotland, as well as doctors’ offices and hospitals, led to allegations that government officials failed to properly invest in information technology.
Apparent Culprit: Unpatched Windows 7
Based on new information, however, part of the problem appears to be that many NHS trusts didn’t pay for extended Windows 7 support.
“I think what is also becoming clear is that the NHS impact was a result of lack of patching Windows 7 rather than outdated XP,” Alan Woodward, a professor computer security at the University of Surrey, and a cybersecurity adviser to the EU’s law enforcement intelligence agency, Europol, tells Information Security Media Group.
“If this is the case then it shows that there is a lack of resources across the NHS IT estate,” he adds.
On May 13, the NHS issued a statement responding to “widespread speculation about the use of Microsoft Windows XP by NHS organizations, who commission IT systems locally depending on population need.”
But the NHS says that most of its systems are currently still receiving patches and security updates from Microsoft.
“While the vast majority are running contemporary systems, we can confirm that the number of devices within the NHS that reportedly use XP has fallen to 4.7 percent, with this figure continuing to decrease,” the statement reads.
“This may be because some expensive hardware – such as MRI scanners – cannot be updated immediately, and in such instances organizations will take steps to mitigate any risk, such as by isolating the device from the main network.”
Windows XP Transition Strategy
The government has long been urging trusts to dump outdated Windows systems.
In April 2014, the U.K. government’s Cabinet Office and the NHS issued an urgent call to all NHS trusts to migrate off of Windows XP, saying that it had secured a deal with Microsoft to buy them 12 months’ respite.
“The Department of Health (DH) and Crown Commercial Services (CCS) have now concluded a new agreement with Microsoft. This makes Custom Support for Windows XP SP3, Office 2003 SP3 and Exchange 2003 SP2 available to any NHS organization that require it until 14 April 2015; whilst migration away from Microsoft XP is undertaken,” read the Cabinet Office statement, dated April 8, 2014.
But the government continues to face tough questions over how much new funding it has allocated to subsequent migration and information security efforts.
Britain’s governing Tory party has issued a statement saying it’s given the NHS £50 million ($64 million) for IT funding, but it’s not clear when exactly that money was allocated or if it’s enough.
Cybersecurity expert Chris Pierson, CSO and general counsel for financial technology payment firm Viewpost, tells Information Security Media Group that health services and organizations in at least a dozen countries have been affected by WannaCry.
But he says that’s no surprise, given that “healthcare computers are usually always on, less frequently patched due to their role in the healthcare process, and oftentimes hospitals and clinics are lagging behind on cybersecurity controls.”
Law Enforcement Responds
Meanwhile, law enforcement agencies, including the EU’s law enforcement intelligence agency Europol. say they are hunting for the culprits behind the WannaCry campaign.
Europol’s @EC3Europol is supporting countries. #WannaCry #Ransomware attack at unprecedented level and requires international investigation.
— Europol (@Europol) May 13, 2017
The U.K.’s National Cyber Security Center, which includes the country’s computer emergency response team, says that “NCSC are working with affected organizations and partners to investigate and coordinate the response in the U.K.”
In the United States, meanwhile, the Department of Homeland Security’s U.S. Computer Emergency Readiness Team also issued an alert on the Microsoft SMBv1 vulnerability and the also reiterated longstanding advice for combating ransomware.
The U.S. Department of Health and Human Services has said it’s been working with the healthcare sector to help it respond. It has also urged organizations to beware email-borne threats, on the heels of reports that Telefonica’s WannaCry outbreak appeared to begin after an employee received the ransomware attached to an email.
Beware Monday Morning
Experts predict that new WannaCry infections will spike on May 15.
Europol director Rob Wainwright told the “Preston on Sunday” new program in Britain that more than 200,000 endpoints had been infected as of May 14, and that he is worried that many more could be infected when workers return to their office on May 15 and power up their systems.
IT manager? Check you’re ready for the big switch on tomorrow morning. https://t.co/hqStIO7ljl
— Alan Woodward (@ProfWoodward) May 14, 2017
From a strategic standpoint, however, Wainwright says that lesson to be learned from these attacks centers on preparation. For example, he notes, “very few banks if any have been affected by this.”
Of course, that’s no accident. “They’ve learned through painful experience of being the number-one target for cybercrime, and I think the health sector and others should follow the example of some others so that they now sit up and take notice of what is absolutely a huge, strategic concern,” Wainwright said.