Once again the criminals have managed to make the news with a piece of software that damages your PC. It even has a catchy name (or two or three since their seems to be some disagreement): WannaCry, WCry, WannaCrypt, or Wanna Decryptor.
As with Heartbleed, Shellshock, POODLE (Padding Oracle On Downgraded Legacy Encryption), and several more since, the problems got enough visibility outside of the tech community to make people worry.
And with good PR and wider coverage the questioned faced by all of us who are the go-to source for all questions about technology from friends and family can be paraphrased as “what do I tell my mother?”.
So, what do I tell my mother?
In this case, my mother actually did ask me how worried she should be. And given the widespread impact of WannaCry on corporate and government targets with high profile news stories to match, this is a perfectly reasonable question.
This question has a fairly easy answer: “Not very, assuming you keep your PCs, phones, and other devices patched.”
For my mother who happens to live in a nearly entirely Apple device household, the answer this time is also “not at all, this is a Windows PC problem.” But of course, the next one might be an Apple problem, or an Android problem, so there are lessons to be learned.
First, as always, install all (real)1 updates from your OS and software vendors. Taking OS updates regularly is something that all individual PC (and Mac and Linux) owners should do without fail. Sure, you can usually wait a few days to make sure that the slew of early installs doesn’t show up some gross error in the update. But install the updates.
Every update, every time. If possible, the updates should be applied automatically. This has been good advice for quite a few years now. A Windows PC bought off the shelf from a big-box store arrives with Windows update set to “fully automatic”, and for most home users there is no reason not to leave it that way. (Mac users are on their own, I assume Apple provides security updates. Apply them.)
Aside from that, the remaining advice just boils down to “don’t be stupid” and “don’t panic”. Feel free to adjust wording to suit the audience, of course.
What Happened Here?
WannaCry is an example of RansomWare, spreading primarily as a Worm. When your PC is infected, the most visible thing it does is encrypt all of your files, then offer to sell you the key. This particular example starts the sale at \$300, but after a few days the price goes up to \$600, and if that isn’t paid they promise to destroy the key and leave you unable to recover. Most authors of ransomware in the past have been very careful about customer service since their primary goal is to get paid.
This isn’t exactly new. The Troy Hunt piece has some discussion of the history of this idea. The Brian Krebs piece has some information on how much money it is earning the crooks. (Likely not enough given that they pissed of Britain, Russia, and the US… all for not even $50 k. I’m just guessing here, but I imagine it costs a touch more than that to disappear from three pissed off governments that all have well funded covert operations.)
In the case of WannaCry, the primary path it exploited to spread was an old bug that was apparently known to some groups who hoard known unpatched vulnerabilities for at least 8 years. But given that the bug is found in Windows XP, it could well be older than that. (By mostly dumb luck IMHO, this bug is not in any version of Windows 10.)
Microsoft had already released a patch for this bug (known as MS-17-010) into their update stream for supported versions of Windows last March. The catch here is the word “supported”.
Thanks to a combination of factors, there are a lot of Windows XP installations still in use. They are found in hospitals, in cash registers, in ATM machines, in airport signage, and even widely distributed across workers that depend on company-specific internally written applications. Windows XP has been officially unsupported for over three years, but the outcry from some industries was so large that Microsoft allowed some companies to pay for extended support.
But too many organizations just assumed that they were not targets, not at risk, and besides, change is always expensive. These companies (including Britain’s National Health Service) are learning that not changing also has a price.
And this is why affected companies were hit so hard. The damage (this time) is not really caused by having one or two XP boxes you have forgotten exist in an equipment rack somewhere. It is caused by continuing to use an unsupported operating system well past time to replace it.
If they had updated systems to any (supported) newer version of Windows, and kept updates rolling in, they would not have been nearly as vulnerable.
Common Sense Advice
My advice to take away from this incident can be summed up simply:
- Update everything.
- If you can’t update it, complain to its maker.
- Update everything.
- Don’t use Windows XP (or other dead operating systems)
- Update everything.
- Don’t click on links or download and install shady software.
- Update everything.
- Use a password manager, use strong passwords, and never use a password for more than one site or purpose.
- Update all the things.
But of course you are fully patched and up to date already, right?
If you have a project involving embedded systems, micro-controllers, electronics design, audio, video, or more we can help. Check out our main site and call or email us with your needs. No project is too small!
+1 626 303-1602
Cheshire Engineering Corp.
710 S Myrtle Ave #315
Monrovia, CA 91016
(Written with StackEdit.)
- Be cautious that as news of this spreads that there is a distinct possibility that criminals will attempt to imitate legitimate update announcements and deliver malware instead. This is already happening in the form of fake antivirus tools that are pushed via popups on web pages. Install legitimate updates swiftly. But if anything smells off about an announcement, don’t click, ask an expert. ↩