News about the WannaCry ransomware infestation that recently struck at least 150 different countries has faded from the headlines, but the danger it represents hasn't. Who's to blame? Can we stop it from happening again?
Ransomware is one of the most prevalent new forms of cybercrime. The bad guys get onto your computer or your organization's network either because someone opened a link or attachment they shouldn't have or through a system vulnerability. They then encrypt all your files so you can't use them.
Next, they demand money, usually in the anonymous cyber currency known as bitcoin, to unlock your files. They usually ask for relatively small amounts so that victims will pay up rather than fight.
WannaCry is the latest high-profile version of the long-running scam. The main difference this time was how extraordinarily far it spread. It exploited an existing opening in an old version of the Windows operating system. This opening – called a "zero-day" vulnerability in programmer parlance – was found by the National Security Agency. The world learned of it when the NSA was hacked by bad guys called the Shadow Brokers, who released the stolen files to the public.
Someone, as yet unknown, then wrote the WannaCry program to exploit the flaw. Note here, the NSA didn't create WannaCry but they also didn't tell Microsoft when they found the zero day. Between when Shadow Brokers went public and when WannaCry hit, Microsoft created a patch to fix the problem, distributed it to their legitimate customers, and encouraged everyone to upload it to their computers. Some did, but many did not.
Analysts are split between two theories. One is that WannaCry was written by petty crooks to extort the British Health System, the target most heavily hit, and it simply got out in the wild and kept finding unpatched targets. The other is that it was written by the intelligence service of a nation-state that didn't really care about the money but was testing to see how far they could spread the attack.
While the former is most likely, you cannot rule out the latter, and some fingers have been pointing toward North Korea. Attributing guilt in these cases is notoriously difficult to do with accuracy, and it is easy to spoof the source to throw cyber bloodhounds off scent.
So who is at fault? Is it Microsoft for having the flaw in their software? Is it the NSA for finding it but keeping their mouths closed because they wanted to potentially use that same fault to better do their spy job against America's enemies? Is it Shadow Brokers, who some think is the Russian government, for making it public?
Are the as-yet-unknown bad guys who actually wrote the WannaCry ransomware program to blame? Or is it the fault of the folks who failed to patch their systems when Microsoft sent it to them?
The answer is probably all of the above. Complicated operating systems such as Windows will never be flawless, no matter how hard the companies that write them try. The NSA's technique of finding zero days and informing companies of them only about 85 percent of the time, keeping the other 15 percent for their future use, is being reviewed by both Congress and the intelligence community.
Crooks, meanwhile, are going to continue to be crooks, so we won't get much help from the Shadow Brokers or WannaCry authors of the world.
That leaves us. As consumers, we can do a much better job of applying patches. Big, important systems such as hospital networks cannot be lazy and must do the patching. In the long run, your health records are actually a bit more important than last year's vacation photos.
Russian and Chinese entities (individuals and companies) were hit particularly hard and are up in arms blaming America for the problem. But both countries use a ton of pirated software, which doesn't receive the patching notices legitimate users get. To them I say, "Tough: If you break the law, don't expect any sympathy when fellow crooks burn you."
More investigation is needed. We may see some reform, but the shortest and surest route to safer computing is to be wise enough to load the updates you get from your operating system's creators. Make the bad guys' job as hard as you can.
This piece originally appeared in The Sacramento Bee