What the heck happened on May 12? Super-evil technical genius releases ransomware worm that invaded systems around the world and he made a gazillion dollars?
A ransomware worm was, in fact, released in the wild. It did, in fact, cause mass chaos. This depicts the last 24 hours of infections worldwide (see MalwareTech for real-time stats):
The "evil genius" created this attack by using information released by Shadow Brokers a few weeks ago. As of this writing the miscreant has made a whopping $26K in Bitcoin. Meanwhile, the good guys are continuing to eradicate this mess through various truly genius means.
The real culprit in the exponential spread of this attack? You.
The worm (self-propagating code) leveraged a weakness in an outdated version of a Microsoft Windows feature known as Server Message Block, or SMB, to plant the ransomware and spread itself to the next machine. To grossly oversimplify, SMB is how Microsoft systems "talk" to each other. Microsoft released a patch for this vulnerability on its current products back in March.
The 2 important points in that last sentence: "current products," "patched in March."
Microsoft is well known for its upgrade path. Some people like it, some people hate it. Microsoft wants their customers to update to their latest operating systems to make money, sure. But it's also to keep their customers safer. Their engineers and threat researchers constantly work to improve the security of their products. This is why they release monthly security updates. This is also why they offered a free upgrade to Windows 10 for so long.
One of the key factors in the rampant spread of this ransomworm (as some of my peers have dubbed it) is versions of Windows that are so old (XP, for instance), they stopped being supported by Microsoft years ago. This means no security updates have been released for these systems. And that means they are vulnerable to multiple attacks, including this one.
Which brings me to the second point. As stated above, the vulnerabilities that made this worm possible were patched in March. For those who do have current systems, and left Windows Update enabled (the default), you probably just read about the hoopla and went on with your life. According to latest statistics, at least 90,000 people didn't get the memo and have spent the last 24 hours really wishing they had.
This entire event highlights failures in basic computer hygiene. I thought it an opportune time to remind folks of the simple steps to reduce the likelihood of becoming a victim to this and other types of online attacks. This applies to ALL computer and mobile systems, not just Microsoft, by the way:
- Keep your operating system and installed software current
- Turn on automatic updates for your operating system (at a minimum) and software popular with bad guys (Adobe, Java, iTunes, etc.)
- Back up regularly
- Install antimalware and keep it updated
The last point may or may not have helped with the ransomworm but it's still a good practice. And yes, Mac users, this means you, too. Last week also saw OS X take a direct hit by the Proton malware.
Prevention is so much easier than recovering lost time and, worse, lost data.