Two years ago, the WannaCry ransomware attack crippled more than 300,000 machines in 150 countries, including 80 National Health Service hospitals in Britain that were forced to divert patients after malware prevented clinicians from accessing medical records.
While media headlines have moved on to other cyberthreats, WannaCry continues to be a major problem for many organizations.
According to a research report from internet of things security company Armis, WannaCry continues to be an active threat, with 40% of healthcare organizations and 60% of manufacturing organizations experiencing at least one WannaCry attack in the last six months, according to Armis' client database.
"This is not too surprising as these types of organizations generally suffer the most from old and unmanaged devices, which are difficult to patch due to operational complexities," Armis researchers said in the report.
As it did when it emerged, WannaCry astutely demonstrates the frightening potential unpatched vulnerabilities have to compromise such devices.
"Sadly, the vulnerability used by WannaCry two years ago has yet to be patched on many devices. Moreover, such vulnerabilities are still being found, as Microsoft revealed a new wormable vulnerability resembling the one used by WannaCry last week," the report said.
Recently, Microsoft took the rare step of releasing a patch for a handful of legacy operating systems it no longer services after finding the critical vulnerability. The company is warning users to patch their systems quickly to avoid another WannaCry ransomware attack, saying it is "highly likely" that malicious actors will write an exploit for this vulnerability.
The research findings come as just on Saturday The New York Times reported a ransomware attack that hit the city of Baltimore on May 11—as well as the WannaCry ransomware attack and the NotPetya attack back in 2017—can be traced to a tool developed by the National Security Agency (NSA) called EternalBlue.
In April 2017, an unknown group called the Shadow Brokers posted hacking tools for Windows it said were stolen from the NSA. Microsoft announced at the time that most of the exploits had already been patched.
According to The New York Times, since 2017, when the NSA lost control EternalBlue, it has been picked up by state hackers in North Korea, Russia and, more recently, China, cutting a path of destruction around the world and leaving billions of dollars in damage.
"According to three former NSA operators who spoke on the condition of anonymity, analysts spent almost a year finding a flaw in Microsoft’s software and writing the code to target it. Initially, they referred to it as EternalBluescreen because it often crashed computers—a risk that could tip off their targets. But it went on to become a reliable tool used in countless intelligence-gathering and counterterrorism missions," according to The New York Times article.
EternalBlue was so valuable, former NSA employees told The New York Times, that the agency never seriously considered alerting Microsoft about the vulnerabilities and held on to it for more than five years before the breach forced its hand.
"It is true that historically, the leak of the NSA tool that exploited the EternalBlue vulnerability was the trigger that unraveled into the WannaCry outbreak. Since the vulnerability affected such a wide array of Windows versions, even its unsupported versions had to be issued an emergency security update to try and prevent the spread of the malware to those systems," Ben Seri, vice president of research at Armis, told FierceHealthcare.
Unfortunately, those unsupported versions of Windows are still in use today, Seri said. "How WannaCry is still very much active today is due to the fact that it still manages to find vulnerable devices—and these are most prevalent in healthcare and manufacturing facilities. The various stats we've gathered co-align to support these findings," he said.
The ongoing threat of WannaCry
At the time of the WannaCry attack in 2017, researchers were able to discover a "kill switch" that prevented it from spreading further. But devices already infected by the malware were not salvaged by the discovery of the kill switch and continued to spread it to other computers, according to the Armis report. Devices on which WannaCry did not activate are vulnerable to other attacks as the malware’s backdoor, DoublePulsar, remains wide open, the report said.
According to Armis' research, there are 3,500 successful WannaCry attacks per hour worldwide. More than 145,000 devices worldwide are still compromised and 103 countries impacted. Further, 22% of internet service providers have customers impacted by WannaCry, the Armis report said.
The company's research indicates that roughly 70% of healthcare organizations worldwide are using outdated Windows operating systems (Windows 7 and older) compared to the technology industry, where about 75% of organizations are running Windows 10.
A common misconception regarding WannaCry is that because a patch was issued by Microsoft, the malware and its associated exploit EternalBlue are no longer something to worry about. In reality, things are quite different, according to the research report.
"Patching is laborious and time-consuming, but absolutely necessary. In some cases, implementing the patches can be difficult, and even require rebuilding entire systems for it," the report said. Moreover, many industrial and healthcare devices are still based on outdated Windows versions such as XP, 2000 and Vista.
"These systems receive painfully slow upgrades since they are usually part of a customized hardware/software solution tailor-made for a specific industrial or medical use, or require costly downtime for upgrades," the report said.
The implications of the current status of WannaCry is that unmanaged devices have to be monitored and protected from such threats, Seri said.
"Since two years have passed, and the overall status is only slightly improved, it is obvious that none of the underlying problems have been resolved. The hardest underlying problem to resolve is eliminating the risk of the devices that are part of the operational apparatus of an organization but are also nearly impossible to upgrade or patch. These unmanaged devices have to first be identified as such, and then monitored, segmented, if possible, and protected by external tools," he said.
Like other cybersecurity researchers, Seri emphasizes the importance of patching devices. Among his recommendations:
- Patch—All users and organizations should patch all devices in their possession. Patching is not a recommendation, it is a must. You should always remember that in the long term you are always better off patching ASAP.
- Know your devices—Without proper control and monitoring of devices and networks, one is bound to lose track of both. It is only a matter of time until you forget about a device you’ve left connected somewhere or a network configuration which connected or disconnected it from internal networks. While this is true for home users, it is doubly true for organizations. This is why you must maintain an asset inventory tracing all devices, and monitor your network for unknown, suspicious or misplaced devices connected to it.
- Confront unmanaged devices—The last yet critical step is to implement solutions capable of monitoring and protecting unmanageable devices, which are extremely vulnerable and prone to attacks. Without such solutions, these devices, and consequently your entire network, will be left as sitting ducks for any hacker sniffing around.