Ransomware attack: Where it stands

Ransomware attack: Where it stands
© Getty Images

Homeland Security Advisor Tom Bossert manned the lectern for the administration on Wednesday to give an update on the ransomware outbreak.  

His message, in part, was like many others: the situation was both better than it could have been and worse than it should have been.

The attack known as Wanna Cry, he said, struck victims in 150 countries, logging hundreds of thousands of infected machines. It has done enough damage that the White House is now getting twice a day briefings on the outbreak.

At the same time, said Bossert, Wanna Cry did not appear to be having the kind of impact in the United States that it had in Asia and Europe. No federal systems were hit and only a “small number” of U.S. businesses were affected.


Wanna Cry, also known as WanaDecrypt and WanaCrypt0r, impacted targets across the world over the past three days, ranging from 1,000 computers in the Russian Ministry of the Interior to severely hampering a Spanish telecom. 

A researcher at Google and a group at Kaspersky Lab believe they have made headway into who is behind the ransomware. 

The first version of Wanna Cry contains code used by a suspected-North Korean hacker group dubbed “The Lazarus Group” that was eliminated in later versions. 

In a blog post, Kaspersky reported that removing the code from later releases of Wanna Cry makes it unlikely that the code was meant to through off researchers. 

"We believe a theory a false flag although possible, is improbable,” reads the post. 

The Lazarus Group was recently linked to a string of digital bank heists by hacking financial institutions in Bangladesh, New Zealand and other nations, believed to be a way to survive crippling sanctions the international community placed upon the Hermit Nation. Lazarus is best known for hacking Sony Pictures in retaliation for the movie The Interview. 

Ransomware like Wanna Cry encrypts computer files until a user pays a ransom. 

Wanna Cry was exceptionally dangerous in part because it was based on an allegedly leaked NSA hacking tool targeting Windows known as EternalBlue.

The security flaw that EternalBlue took advantage of was patched in March. But businesses sometimes are unable to apply patches, often because niche software is not supported by newer operating systems and the large scope of updating a large network. 

Microsoft responded Friday by updating the antivirus program which comes with Windows to block Wanna Cry. On Saturday, it took the unusual step of issuing a patch for EternalBlue for operating systems it no longer supports, like the elderly WindowsXP. 

But some fear that Wanna Cry will not be the last the world sees of leaked NSA hacking tools in malware. EternalBlue was only one of a bundle of tools allegedly leaked from the NSA and malware programmers have already produced malware based on another tool in that kit. 

“We need to look at the other tools in that leak and prioritize those upgrades as critical,” said John Riggi, head of BDO’s cybersecurity and financial crimes unit and a former FBI section chief for the Cyber Division Outreach Section.

Bossert noted during his press conference that keeping software updated would have protected victims of the malware. Riggi added that Wanna Cry also shows the importance of another basic staple of cybersecurity. 

“One of the best defenses is having a good backup,” he said. 

Though Bossert announced there were no federal computers infected with Wanna Cry, Sen. Mark WarnerMark Robert WarnerOvernight Energy & Environment — Presented by the American Petroleum Institute — Biden seeks to quell concerns over climate proposals Overnight Energy & Environment — Presented by the American Petroleum Institute — Intelligence report warns of climate threats in all countries The Hill's 12:30 Report - Presented by Altria - Biden holds meetings to resurrect his spending plan MORE pressed the Department of Homeland Security and the Office of Management and Budget about agency policies for updating software. 

“Microsoft issued a security update to remediate this vulnerability two months ago,” he wrote in a letter to Office of Management and Budget Director Mick Mulvaney and Secretary of Homeland Security John Kelly.

“Ensuring that patches are implemented in a timely, and secure, manner is an entirely different matter, however.”

The letter asks for insight into the process by which agencies update software. 

In government and out, Wanna Cry might be a watershed moment for businesses adopting basic cybersecurity procedures.

“This was definitely a seminal event,” said Riggi.