WASHINGTON – A Microsoft executive said Sunday that the massive global ransomeware attack – a cyber attack wherein an operating system is locked until a ransom is paid –shows why governments should share vulnerabilities with technology companies rather than hoarding them for potential exploits.
Brad Smith, president and chief legal officer at Microsoft, sharply criticized U.S. National Security Agency in a company blog post for its potential role in weaponizing a vulnerability in the technology company’s operating system. Hackers stole the vulnerability from the NSA and others potentially used it to carry out the largest ever ransomeware attack, named WannaCrypt, beginning Friday.
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” Smith said. “This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”
Smith compared the NSA losing track of its cyber weapon to the U.S. military having Tomahawk cruise missiles stolen. The U.S. used Tomahawk missiles last month to attack a Syrian government air base.
He called, as he did in February, for a “Digital Geneva Convention” to govern weapons in cyberspace the same way governments monitor weapons in the physical world. As part of the Digital Geneva Convention, Smith called for “a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”
Information on the vulnerability exploited in the WannaCrypt attack (also called WannaCry, Wana Decryptor or WCry) was reportedly stolen from the NSA in April. It was released to the web by hacker group Shadow Brokers to Github, but it’s unclear if the WannaCrypt hackers used the stolen NSA information to launch WannaCrypt. Microsoft had released an update to fill the vulnerability the month before, apparently identifying the hole on its own. The fix required users to update their operating systems.
Many computers remained unpatched, allowing the WannaCry bug to infect them. Europol, the intelligence agency of the European Union, estimated Sunday that the attack had hit at least 150 countries and infected 200,000 machines. Among those hit are hospitals, universities, manufacturers and government agencies in Britain, China, Russia, Germany and Spain.
On affected computers running Windows, the WannaCrypt software encrypts files and displays a ransom message demanding $300 in the online currency bitcoin. The computer screen locks up, and displays two count-down clocks — one displaying the time until the ransom doubles and the other the time until all files are deleted.
Cyber security experts are urging those effected to not pay the ransom, stating that those effected might not get their files back even if they do pay the fee. A Twitter bot tracking the payments made to WannaCrypt currently has the value paid for ransoms at $55,800.
Matthew Hickey, a cyber-security researcher at U.K.-based firm Hacker House, said that once the fee is paid, the hacker must manually activate decryption so that files are released, rather than it being an automatic process.
Variants of the ransomware are appearing online, according to reporting by Bleeping Computer, including at least five different WannaCrypt knockoffs in various forms of development.
In the Sunday blog post, Smith stated that the cyber attack is further evidence that cybersecurity has become a shared responsibility between tech companies and customers.
“The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past,” he said.
Microsoft offered software patches to protect against the ransomeware, and over the weekend released security updates for Microsoft XP and other operating systems versions it no longer supported. This allowed users of the older systems to secure their computers without requiring an upgrade to the latest operating software.
Smith’s statement made no mention of pirated Microsoft software, users of which cannot download the security patch.
He said Microsoft is “working comprehensively to address cybersecurity threats,” and said the company will share with relevant law enforcement what lessons it learns from this attack.