With the news of a new, June 27th ransomware attack, we are re-posting this piece from May 12, 2017. — Editors’ note
Computers around the world are suffering an attack from malicious software. The compromised computers have been hit by “ransomware” — software that encrypts the computer’s hard drive so that all the information on it is unavailable, and refuses to release it until a ransom is paid in Bitcoin, an online currency that is difficult to trace. Among the victims are FedEx, Britain’s National Health Service and computers belonging to Russia’s Ministry of the Interior.
Ransomware attacks have happened before. What is unusual is how quickly this attack is compromising large numbers of critical computers. It has been so successful because it has made use of a so-called “zero-day exploit” — a previously unknown flaw in Windows software that makes it easy to take control of vulnerable systems. This zero-day exploit became publicly known last month, when it was released as part of a treasure trove of National Security Agency data by the “Shadow Brokers,” a shadowy group of hackers who many believe are associated with Russian intelligence. Criminal hackers appear to have combined this exploit with ransomware tools to mount a worldwide campaign.
Here’s what you need to know to understand what happened:
The NSA collects zero-day exploits
One of the NSA’s key functions is to spy on intelligence targets in other countries. This, very often, involves compromising their computer systems. Hence, zero-day exploits for commonly used software, such as Windows, are potentially very valuable to the NSA and to its rival intelligence agencies. Big, complex pieces of software such as operating systems have a myriad of bugs, some of which can allow outsiders to take control of computers running the software. Such exploits can be used to gain surreptitious control of computers or other devices running software, scoop up information, or even turn computers or phones into silent spying devices by, for example, taking control of their cameras and microphones. There are even clandestine markets where zero-day exploits are bought and sold.
But the NSA has a dual role
The complicating factor for the NSA is that it is not only supposed to hack into the computers of interesting foreigners — it is supposed to protect the computers of U.S. citizens and firms from outside attacks. This poses problems, because foreigners and U.S. citizens tend to use the same kinds of software, and to be subject to the same kind of attack. Every time the NSA discovers a new vulnerability, it is supposed to go through an “equities process,” in which it determines whether it is better to disclose the vulnerability to software companies (so that U.S. citizens, firms and the government can be protected) or keep it for its own use (so that it can compromise foreign systems).
When the NSA discloses the vulnerability, the creators of the software can modify the software through a “patch,” which can then be downloaded by users to close the vulnerability. When the NSA doesn’t disclose it, nothing gets done unless someone independently discovers the problem (or the hole gets closed inadvertently thanks to other changes). When Microsoft, Apple or Google make you update your computer or phone operating system (or else suffer a series of annoying reminders), they are sometimes patching real vulnerabilities.
This zero-day exploit was kept by the NSA
The Shadow Brokers leak revealed a number of NSA documents, including zero-day exploits that were previously unknown to the general public. Importantly, the Shadow Brokers leaked the files they had compromised in multiple stages, saving the zero-day exploits for a later release, which happened a couple of months later. Although no one is saying so in public, it appears likely that the NSA contacted Microsoft as soon as they realized that the zero-day exploits had been compromised by hostile actors. Certainly — contrary to initial reports — Microsoft patched its software soon after the initial Shadow Brokers release in ways that suggested the company had become aware of the vulnerabilities. This meant that when the zero-day exploits were released last month, people with up-to-date installations of the relevant version of Windows were already protected against these particular zero-day attacks.
Patching is not always enough
The problem is that many users need time to patch their systems. Sometimes this is because of laziness, ignorance or lack of resources. Sometimes, it is because organizations have to run a variety of complex software packages and may worry that if they change one software component (especially a crucial platform or operating system), the other software will stop working. Thus, big organizations often want to take time to test newly patched software before they start running it.
For whatever reason, a variety of organizations appear not to have downloaded and implemented the patches. This meant that their systems had a gaping vulnerability, which the ransomware has now taken advantage of, compromising systems in hospitals, businesses and government ministries.
There are no easy solutions
There are many causes for the current impasse. If the NSA had weighed the vulnerabilities differently and quietly informed Microsoft years ago, the problem would never have happened at a wider scale, because Microsoft would have issued the patch long before criminals could take advantage. Obviously, if the Shadow Brokers had kept quiet, criminals would not have been able to take advantage (although the Shadow Brokers themselves could have used the exploits against U.S. and other targets with nearly complete impunity).
The bigger problem is that no one is in charge. Responsible software producers will issue patches to protect against vulnerabilities (although they may not be obliged to under the law), but there is no way to ensure that everyone implements them. Unfortunately, the problem is getting worse rather than better over time. As Bruce Schneier points out, many of the devices on the Internet these days are not computers or phones. They are DVD players, TVs, webcams and, maybe soon, even salt shakers. The companies building such devices are not always careful about looking for or keeping track of vulnerabilities, so that hackers can target huge numbers of poorly secured devices (and use these devices to attack other Internet users). While experts have identified the importance of the problem, it isn’t clear that there is any plausible solution without radical changes to the ways we build technologies and shape incentives for businesses and users to keep these technologies secure.