Security

Unprecedented WannaCry attack a nightmarish 'wake-up call'

WannaCry is the largest cyberextortion scheme ever, and it's a signal that the danger is far from over.

Now Playing: Watch this: Why the WannaCry cyberattack is so bad, and so avoidable
2:18
Padlock on a computer keyboard

When ransomware strikes, you're locked out of your computer -- and you have to pay to get in.

Schöning/Ullstein Bild via Getty Images

Because we needed something else to keep us up at night.

WannaCry is no scary movie but a nasty piece of ransomware that locks up your computer and holds it hostage until you pay the hackers. Ransomware isn't new, but the difference with this one is scale: As of Sunday, more than 200,000 devices in at least 150 countries have been affected, making this the largest cyberextortion scheme ever. (You can actually watch a real-time map of affected computers.)

That's scary enough. But what's really chilling is that we have no idea when this will all end. The speed and reach of WannaCry, as well as its ability to evolve, are yet more examples of the new age of cyberterrorism we live in. It's one in which hackers can influence the US election, pilfer your personal information or hold up critical life-saving systems in hospitals.

And because of our dependence on tech, there are no easy solutions.

"The WannaCry ransomware outbreak is a wake-up call for the world," said Andreas Kuehlmann, senior vice president of the software integrity group at software maker Synopsys. "It highlights not only our interconnectedness and deep-seated dependence on technology, but the massive challenge we face in securing the ecosystem of software and systems we rely on."

With new cases cropping up over the weekend in China and Japan, following the first wave in the UK and elsewhere on Friday, it's no wonder millions of people walked into their offices wondering if they too were victims of WannaCry. Or worse: What if this outbreak evolves into something even more dangerous and widespread?

WannaCry has already shown its ability to change. An analyst from MalwareTech on Friday stumbled on a way to halt the initial attack, unwittingly activating a kill switch. By Monday, however, hackers had changed the code so that kill switch no longer worked.

Genesis of WannaCry

WannaCry, also known as WanaCrypt0r 2.0, is able to get into Microsoft Windows systems by exploiting a vulnerability called EternalBlue, which was first discovered by the NSA and then, in April, leaked by the hacker group Shadow Brokers. The updated version that debuted Monday also uses the same exploits.

Victims have gotten messages asking for money in exchange for unlocking their computers.

Foursys

Here's how it works: The malware enters a computer system through an email attachment or someone visiting a website, according to Simon Crosby, co-founder of security software provider Bromium.

From there, it can spread across the local area network through a standard file-sharing technology called Windows Server Message Block, or SMB.

Hospitals in the UK's National Health Service, Spanish telecommunications provider Telefonica and global shipping giant FedEx were among the early organizations hit. It just spread from there.

"The criminals really have the upper hand in this situation and most companies are completely unprepared for this kind of attack," said Gartner analyst Avivah Litan.

Hackers typically demand about $300 in payment via bitcoin, an untraceable digital currency often used on shadowy parts of the internet. If that ransom isn't paid in 72 hours, the price could double. And after a few days, the files are permanently locked.

Hackers could stand to make more than $1 billion if the ransoms are all paid.

Blame game

There's some debate as to who really is at fault (beyond the hackers, of course). Microsoft believes that government agencies like the CIA hoarding software flaws and keeping them secret contributed to WannaCry.

The NSA didn't respond to requests for comment. Gen. Keith Alexander, who served as NSA director from 2005 to 2014, denied Microsoft's claims that the agency was hoarding these vulnerabilities.

"They don't hoard, they release 90-plus percent of what they find," Alexander said during a panel at TechCrunch Disrupt on Tuesday. "But to go after a terrorist, you need an exploit."

Microsoft could have been more proactive in issuing patches for older versions of its software. For instance, it made the special exception to patch this vulnerability for all versions of Windows -- including the ones it stopped supporting. But that only happened after the attack hit. To be fair, Microsoft has long warned people that it would stop supporting these older versions.

You could also blame IT workers who weren't up to speed on the latest updates. But it's hard to blame them when updates can stop critical systems from working, or make older software like XP and Windows 7 inoperable. For places like hospitals, that's unacceptable.

Outdated equipment

Guess what? A lot of people still use Windows XP, which was first released in 2001. Likewise, if you don't have a licensed version of Windows (that is, if you stole it), you may not have the necessary patches to protect you.

The effectiveness of WannaCry underscores the fact that many computers are using older software and haven't been updated or patched. More people in the world use some version of Windows on their desktops and laptops than any other operating system.

"As we look at the overall cybersecurity posture of the country, we have to look at the way we manage old platforms and better protect them," said Mark Testoni, CEO of security software company SAP NS2.

A survey conducted earlier this year of 24,225 people in 23 countries showed that the majority of computer users wouldn't know what to do if they were hit by ransomware, either. The survey, conducted by the United Nations, the Internet Society and the Centre for International Governance Innovation, found that 41 percent of ransomware victims ended up paying the ransoms. Nine out of 10 victims who paid up got their devices back.

"Ransomware attackers have discovered that they don't have to steal or destroy your data to enrich themselves, they just have to hold it hostage," Fen Osler Hampson, director of global security at CIGI said.

Here's how bad things are: Through 2020, 99 percent of attacks will occur using vulnerabilities that security and IT professionals will have known about for at least a year, according to Gartner.

It might be time to start to doing something about it.

Still evolving?

Today's problem may just be the beginning. The real fear is that this incident will set off a new wave of attacks. Hackers have already updated WannaCry. What's next?

"The concern being that potentially a new variant of this ransomware could show up on Monday," Adam Meyers, vice president of intelligence at Crowd Strike, told CBS News. "And it would take a lot more effort to try to stop that next wave of attack."

Copycats are already starting to pop up, according to security experts.

"It still has the potential to grow exponentially," said Rick Orloff, chief security officer at cybersecurity company Code42.

That's really what's keeping security professionals awake at night.

"So we have the WannaCry thing. They'll say, 'Did you fix it?' 'Well, we fixed the glitch. We've patched the ones that have been infected. Great, so we're good,'" said Yahoo Chief Information Security Officer Bob Lord at TechCrunch Disrupt on Monday. "But that transactional relationship isn't going to prepare you for a truly intelligent adversary who really is out to get you."

At a White House press briefing Monday, Tom Bossert, assistant to the president for homeland security and counterterrorism, emphasized the importance of patching and reminding people not to use unlicensed versions of software that may not be able to be patched.

And as far as figuring who exactly is responsible for WannaCry, Bossert said while it would be satisfying to do just that, "that's something that sometimes eludes us."

A persistent, ever-changing threat that's always coming after you? Hollywood couldn't write a better horror flick.

Terry Collins contributed to this story.

First published May 15, 10:38 a.m. PT.
Updates, 11:45 a.m., 1:50 p.m., and May 16 at 7:46 a.m. and 4:11 p.m.: Adds results of a survey of ransomware victims, reporting from a White House briefing, comments from a former NSA director and additional background and quotes from experts.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Crowd Control: A crowdsourced science fiction novel written by CNET readers.