Wanna Cry. Our analysis.
Ransomware has been a recognised issue for some time, however to date, perhaps only one or two systems in a company might have become infected by the wayward clicks of a bored receptionist. Ransomware has rarely been a business-critical issue.
Wanna Cry changed that. Not only did it infect single machines, as classic ransomware does, it also used infected systems to springboard an attack on any other systems it could find. It did this by piggybacking on a network protocol that old Windows computers use to talk to each other (we call this SMB, version 1, or CIFS). This not only put all old Windows systems at risk, but also those newer systems that were configured to talk to old Windows systems. The new systems used exactly the same SMBv1 software version as the old systems.
It just so happens that big companies with big legacy networks, have of course configured their new Windows computers so that they can talk to the old ones. Thus, both new and old Windows systems could be affected.
Furthermore, so that all these Windows systems can talk to each other, they are usually all placed on the same network. Hundreds at a time. Thus, it only took one system to become infected to put hundreds of others at risk.
One mitigating factor is that SMBv1 really is the most useless, cumbersome, heavy protocol that Windows systems have ever been known to use. It quite happily spams all other machines on the network advertising the presence of Windows systems that have something to share. Any system administrator worth their salt would have disabled SMBv1, probably as a result of being shouted at by a network administrator trying to stop their network grinding to a halt.
Disabling SMBv1 is simple. Or simple if all your Windows systems are under central control. There’s a simple tick box that even simple organisations can tick, which improves Windows networking performance a hundred-fold.
However, one negative affect of disabling SMBv1, is that Windows XP/2003 systems won’t be able to talk to each other anymore. Hence urgent action was required, as there was no forthcoming fix from Microsoft as Windows XP/2003 is no longer supported.
Even as recently as last month, we are aware of organisations that still rely on Windows XP/2003 systems. I guess that’s why Microsoft ultimately played nice and issued an emergency patch, as most of these are in the public sector and support critical infrastructure.
It’s easy to point the finger; but the public sector is completely cash strapped, subject to funding cuts and have IT budgets that barely stretch to six figures. There is not enough money in the pot to migrate to the latest version of Windows, which also happens to need a hardware upgrade to go with it.
Now this patch has been issued, the public sector can “safely” continue its use of archaic operating systems until the next time. Which will be far worse.