An outbreak of ransomware raged across the internet on Friday. The software, called WannaCry, encrypted the files on a victim’s computer and demanded a ransom to get them back. Then on Friday afternoon, Eastern time, the infection suddenly stopped spreading. The seemingly miraculous reprieve occurred because a security researcher had discovered the software’s Achilles’ heel. By registering an obscure web address that was hard-coded into the malware, he was able to stop its spread.
Unfortunately the reprieve was only temporary. By Sunday, people had started creating new versions of the software that didn’t have the original’s weakness.
Ultimately, the ransomware outbreak will only end when users and IT professionals around the world update their software to eliminate the security flaw that the malware exploited. This weekend’s temporary pause gave IT workers precious hours to update their systems. But a lot more work is needed to prevent a recurrence of the malware threat.
The original malware was badly designed
On Friday, a British security researcher who goes by the pseudonym MalwareTech online discovered that WannaCry was trying to connect to a seemingly random internet domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. The researcher registered the domain to help him track the malware’s spread. Almost immediately, WannaCry stopped infecting new computers.
What was going on? Security researchers studying malware like WannaCry will often install it in a virtual environment, much as biologists will grow bacteria in a petri dish. Anticipating this, malware sometimes tries to detect whether it’s in a digital petri dish. If so, it shuts down to prevent further analysis.
WannaCry’s petri dish detection strategy was to ping a web address that the program’s authors knew didn’t exist. On the real internet, the request would fail, but a virtual machine might return a fake website, alerting WannaCry that the software wasn’t operating on the real internet.
But once a security researcher actually registered the domain, this strategy backfired. Suddenly, copies of WannaCry on the real internet believed they were in a digital sandbox and shut down.
Experts say this was an amateur-hour performance by WannaCry’s authors. More sophisticated malware, for example, might have pinged a different, randomly chosen address each time the software is run instead of hard-coding one address into the software.
The flaw in WannaCry was also easy to fix. Before long, security experts began to see new versions of the malware circulating online that weren’t vulnerable to the original’s huge flaw.
Windows users need to keep their software up to date
There’s a lot of blame to go around here. Microsoft deserves some blame for poor Windows security. The National Security Agency deserves some blame for creating a database of Windows vulnerabilities and then failing to secure it properly. Of course, the author of WannaCry deserves the lion’s share of the blame.
But users and IT administrators also bear significant responsibility. Microsoft released an update back in March to fix the security flaw discovered by WannaCry. And the latest version of Windows installs security updates automatically, which means that if you have a relatively new Windows laptop, you shouldn’t have to do anything to stay secure.
The problem is that there are a lot of Windows computers out there that either don’t have automatic updates enabled or are so outdated that Microsoft has stopped providing security updates altogether.
Many of these machines are in corporate networks. Company IT professionals often delay software updates for fear that they could break existing software. The rapid spread of WannaCry on Friday helped motivate a lot of security professionals to put in extra hours on the weekend to make sure their systems wouldn’t be vulnerable.
Out-of-date software is a persistent problem
In other cases, companies have ancient programs or devices that only work with outdated versions of Windows.
For example, WannaCry hit British hospitals hard because many of them are still using the 16-year-old Windows XP operating system. A big reason for this: They have expensive machinery like MRI machines that was designed to work with Windows XP and doesn’t work with more modern operating systems. So despite pressure from the British government to upgrade, hospitals continue to run outdated versions of Windows.
IT administrators are in a difficult spot here. If they insist on upgrading machines, they could break compatibility with equipment that might cost tens or even hundreds of thousands of dollars. On the other hand, if they don’t upgrade, then machines are vulnerable to malware like WannaCry.
The problem is that Microsoft stopped providing free security updates for Windows XP in 2014, arguing that the software was long out of date and customers should upgrade to a modern operating system. Customers who really need to continue using Windows XP have the option to purchase extended support contracts, but few British hospitals have done so.
Over the weekend, Microsoft took the unusual step of releasing a security update for Windows XP that fixes the flaw exploited by WannaCry. But the Redmond giant is wary of making this a regular practice because it could be stuck offering free updates to ancient software forever.
The ultimate solution here is for companies to sell software as a subscription service rather than as a one-time purchase. The industry has been moving in that direction for years. For example, Microsoft encourages customers to sign up for its Office 365 subscription service. With continued subscription revenue, Microsoft could afford to offer security updates and bug fixes for old versions of its software for as long as customers wanted to pay for them.
But customers have been resistant to this change, preferring to pay once for software they can use forever. And even if Microsoft convinces all of its new customers to sign up for Windows subscription services at some point in the future, it will still have a backlog of customers running older versions of Windows that they purchased outright — customers who expect to receive free security upgrades indefinitely. Which means the internet will be a fertile place for malware like WannaCry for years to come.