According to the FBI, ransomware was the fastest-growing malware across all industries in 2016, and is on track to be an $1 billion crime in 2017.
The “WannaCry ransomware” (aka “Wana Decrypt0r” “WCrypt” and “WannaCrypt” among ITS various other aliases) has affected an estimated 200,000 computers across the world and continues to do so, although the infection seems to be slowing.
Almost exactly two months ago, on March 14, Microsoft released a security update to patch the vulnerability that WannaCry exploits. While the patch protected users who had enabled their computers to apply updates, many computers around the world remained unpatched and vulnerable. As a result, hospitals, businesses, governments, and home computers were — and continue to be — affected by WannaCry.
Security researchers estimated that nearly 57,000 computers in more than 150 countries were infected by the end of the day on Friday. As of Monday morning, more than 200,000 systems around the world are believed to have been infected.
One cybersecurity firm estimates that extortive attacks now cost small and medium companies at least $75 billion in expenses and lost productivity each year. And things are probably going to get worse before they get better. Ransomware tactics and tools are no longer restricted to the dark corners of the web, but are becoming increasingly accessible through open source software channels such as the “Hidden Tear” open source ransomware building toolkit. Even black hat entrepreneurs are getting into the act, offering one-stop-shopping with Ransomware-as-a-Service (RasaS). With RaaS, budding extortionists no longer need to build and maintain their own malware, develop an infrastructure, or manage an attack — all they need to do is sign up at a RaaS site and pay a percentage of their take as a service fee.
“This attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems.”
~ Brad Smith - President and Chief Legal Officer, Microsoft
Whether Open Source or Proprietary Code, You Need to Patch, Patch, Patch
Whether open source or proprietary code, most known vulnerabilities have patches available on the date of their disclosure. Despite the availability of patches — like the one issued by Microsoft that could prevent a WannaCry attack — an alarming number of companies and individuals simply do not apply them. Two months after Microsoft issued its security patch, thousands of computers remain vulnerable to the WannaCry exploit for a variety of reasons, ranging from the use of bootleg software to simple indolence.
Patches sometimes aren’t applied because of lack of IT time, money, and resources or concerns that the patch might break a currently-working system. Each time a patch is introduced, changing a system can impact its reliability and functionality. Healthcare organizations, for example, will put functionality and uptime as a higher priority than security, and in doing so expose themselves to attack on unpatched — and vulnerable — applications.
Push vs. Pull in Software Updates
In some cases, it’s a lack of insight — people or organizations are simply unaware of a critical vulnerability or its patch until they’re under attack. While software vendors like Microsoft can “push” updates and fixes out to users, that requires a computer has been set to accept those updates. The reality is that many businesses and individual users keep the auto update feature turned off, as the sheer volume of updates can be overwhelming and annoying.
Unlike most proprietary software, open source has a “pull” support model — users are responsible for keeping track of vulnerabilities as well as fixes and updates for the open source they use rather than having those fixes “pushed” out to them. Unless an organization is aware that a vulnerable open source component is included in its application(s), it’s highly probable that that component will remain unpatched.
Given that open source is at the core of commercial application development, it should be no surprise that almost all — 96 percent — of the 1,000+ applications scanned to compile our annual Open Source Security and Risk Analysis (OSSRA) report contained open source components. What may come as a surprise is that 67 percent of the applications containing open source also had known vulnerabilities – making them prime targets for the next WannaCry.
From an industry level, the results of the OSSRA report are even more alarming. The Retail and E-commerce space had the highest proportion — 83 percent — of applications containing high-severity open source vulnerabilities. The Financial Services and FinTech industry had the highest — 53 percent— average vulnerabilities per application, with 60 percent of those applications containing high-risk vulnerabilities. Ironically, the audits also revealed that Cybersecurity applications had a disturbingly high incidence — 59 percent — of high-risk vulnerabilities.
These vulnerabilities (and, in most cases, their patches) had, on average, been publicly disclosed for slightly over four years, giving would-be hackers a ripe target, as organizations fail to patch or update vulnerable open source components — often because they don’t realize those components live inside their applications.
With open source existing in almost 100 percent of today’s applications, and with applications the #1 target of cyberattacks, how long will it be till the next WannaCry uses the open door of an unpatched open source vulnerability? We all have a lot of work to do to close the cybersecurity gap. As Brad Smith of Microsoft noted in response to WannaCry, “… cybersecurity has become a shared responsibility between tech companies and customers.”