WannaCry should make people treat cyber-crime seriously

IN 1933 Britain’s parliament was considering the Banditry bill—the government’s response to a crime wave. The problem was that criminals were using a newfangled invention, the motor car, to carry out robberies faster than the police could respond. The bill’s proposed answer to these “smash-and-grab” raids was to create new powers to search cars and to construct road blocks.

In the end, the Banditry bill was not enacted. Its powers were too controversial. But the problem did not go away; what the bill proposed was eventually permitted, and now seems normal. Since then, the technology of theft has not stood still. Indeed, just as in the 1930s, it remains one step ahead of the authorities.

On May 12th, for instance, security companies noticed that a piece of malicious software known as WannaCry was spreading across the internet, first in Britain and Spain, and then around the world. It would reach 230,000 computers in 48 hours, an unprecedented scale of infection according to Europol, Europe’s international police agency. WannaCry rendered useless some of the computers that help run Britain’s National Health Service (NHS), causing ambulances to be diverted and shutting down non-emergency services. It also nabbed machines at Telefónica, Spain’s biggest telecommunications company; at Hainan, a Chinese airline; and even in Russia’s interior ministry.

Malicious software (“malware”, for short) is designed to infect and damage computers. Sometimes, especially if the creators are youngsters flexing their programming muscles, it is written for the sheer hell of it. Sometimes, it is the work of governments, designed to harm the interests of rivals or enemies. Usually, though, it is written for profit. This seems to have been the case for WannaCry, the modus operandi of which is to encrypt a victim’s files and demand payment to reverse that encryption—a common technique, known as ransomware. What makes the WannaCry attack special is its scale and the high-profile nature of its victims. That public profile has led to the asking of questions similar to those which resulted in the Banditry bill.

Bugging out

WannaCry is a combination of two kinds of malware. One, known as a worm, is designed to spread from computer to computer. The other, delivered by the worm, is the encrypting ransomware itself. It is this combination that has made WannaCry so threatening. Ransomware is usually delivered one user at a time, via spoof e-mails which tempt the recipient to click on a link or attachment that then downloads and activates the software. In this case, a single click was able to infect an entire network.

The outbreak was terminated not by official action but by vigilantism. The malware had its head lopped off by a security consultant who goes by the pseudonym “MalwareTech”—for not everyone in the complex ecosystem of computer hacking is a bad guy. MalwareTech discovered that every time a copy of WannaCry runs, it pings out onto the internet a request for a response from a non-existent web address. This behaviour is intended to check that the copy in question is truly out in the wild, and is not being examined in a “sandbox”, a closed piece of software in which security researchers can dissect digital bugs to learn their secrets.

Sandboxes simulate access to the entire internet, to persuade the malware under examination to run at full capacity and reveal its secrets. That means responding to all pings in the way a real responder would. So, if a ping returns from the non-existent address, the program can deduce it is in a sandbox, shut itself down, and thus retain its secrets. MalwareTech worked out the web address in question, registered and activated it, and thus convinced every copy of WannaCry that it was in a sandbox and so should shut up shop.

All credit, then, to MalwareTech. But the simplicity of stifling WannaCry suggests the whole thing was a bit of a botched job—as does the apparent business model of its creators. Professional ransomware operations come with fully operational call centres in which real people answer calls from distressed owners of infected machines in order to walk them through the process of getting their files back (and paying the ransom, of course).

WannaCry has none of these. It simply asked for payment, into a particular account, of a sum in bitcoin, an electronic currency. Moreover, Check Point, a computer-security consultancy in Israel, has shown that WannaCry’s encryption software is so badly assembled that decrypting a user’s data after payment has been made is practically impossible. Properly organised ransomware criminals, alive to the advantages of repeat business, usually do unencrypt the hostage data once the money has been paid.

“This is not a serious organised crime gang,” Ross Anderson, professor of computer security at Cambridge University, says of the entity behind WannaCry. “It’s some kid in a basement in São Paulo or Bucharest or Aberystwyth. If he has any sense, he will smash his hard drive and burn the shards in a bonfire, and never cash in the bitcoin he’s been sent, because there are about 30 nation states that would like a chat with him.”

In contrast to its encryption software, however, WannaCry’s worm, which spread it so fast, is a sophisticated piece of coding. That is because it reuses software stolen several months ago from America’s National Security Agency (NSA), and released online by a hacking group known as the “Shadow Brokers”. The stolen software exploits a vulnerability that the NSA discovered in a piece of Microsoft’s Windows operating system known as the Server Message Block, which handles networking between computers. This bug, which first appeared in Windows XP, in 2001, has stuck around in all subsequent versions. How long the NSA had known about it, and kept it secret, is unclear.

Computers manage their connections to one another through a series of ports, normally 1,024 of them. Each is assigned a specific sort of task, and can be opened and closed as needed. Port 25, for instance, is designated for sending e-mail. The vulnerability discovered by the NSA lets WannaCry spread from machine to machine, as long as those machines have port 445 left open. On home computers’ internet connections, and on astutely managed institutional networks, port 445 is usually kept firmly shut. Exactly how many left it open, and fell victim to WannaCry, has yet to be determined.

Software underbelly

Despite the flurry of headlines, WannaCry is not the worst malware infection the world has seen. Other worms—Conficker, MyDoom, ILOVEYOU—caused billions of dollars of damage in the 2000s. But Bruce Schneier, a noted independent security expert, points out that people seem to have a fundamental disregard for security. They frequently prefer to risk the long-term costs of ignoring it rather than pay actual cash for it in the present.

Here, perhaps, the headlines around WannaCry may do some good. Managers in organisations like the NHS know that there will be no second chances for them in this area. If there is another successful attack, heads will roll. WannaCry’s fame has also drawn attention to criminals’ normal business of attacking targets that can be relied on to pay up quickly and quietly. Often, these are indeed hospitals. But not the hospitals of an entire country. This is not publicity those criminals will welcome.

That said, the activities of malware criminals do indeed resemble those of Britain’s 1930s smash-and-grab gangsters in that they take advantage of getaway speeds offered by new technology—speeds with which the authorities have not yet caught up. Criminals can, in effect, retreat at the velocity of light, to a safe jurisdiction that is near-impossible to discover anyway. If they are to be stopped, someone will have to devise modern-day electronic equivalents of road blocks and search warrants.