Yes, you can. Having said that, for the NHS it was probably a bit more difficult to avoid it.
After last weekend, it is hardly necessary to explain what ransomware is anymore – even if not all media got the details correct. Ransomware is a particular type of malicious software (“malware”), that asks for a ransom to get the affected computer back to its original state. Like most ransomware, the current variant (“WannaCry”) replaces the user’s data files by encrypted versions for which only the criminals have the decryption key. Often such ransoms need to be paid in the online currency “bitcoin”. This means that even paying the ransom is a challenging experience for many of the victims, with the criminals often offering help (!) This is part of the game: the criminals need their victims to build up some trust, so they will also trust the criminals to deliver when they pay up. Nevertheless the official advice is still not to pay, as you can never be sure, and nobody likes to support this particular “business” model. As far as we can tell nobody has even received a decryption key after paying for this particular infection.
So how could you land with ransomware on your computer?
Old software, missing updates, clicking the wrong links …
All malware relies on “vulnerabilities” in software for the malware to take hold. In this case, it was a vulnerability in Microsoft operating systems, for which updates had been sent out in March 2017. Nobody who applied those updates will have been hit by WannaCry. Unfortunately, public free support for Windows XP (not sold since 2008) had stopped in 2014, so no free update for that was available. The vulnerability exists in Windows XP, too, and Microsoft had a fix available – initially for a price, but as of this weekend this is also available for free.
The existence of a vulnerability by itself will not normally lead to ransomware infection – it also needed some action by a user. The most common such action these days is clicking on a “wrong” link in an email which looks like it comes from a trusted source (“phishing”, or if it’s cleverly targeted, “spear fishing”). Unfortunately, there is an “arms race” in this area: criminals get better at creating realistic looking emails, so even though users are more aware of the risks, they also stand a worse chance of spotting the best phishing emails than ever before. With all sorts of internet services regularly sending out emails with bona fide links in there, this is a problem that will need a radical solution soon.
The NHS, despite a huge IT budget, was always at a higher risk of catching this strand of ransomware than most people at home. Many of their computers still run on Windows XP, so would not have been updated in time. In many cases, moving away from XP for the NHS (and many other large organisations) is not just a question of simple replacement cost. They also have crucial software that will not work with newer operating systems, or worse: an XP based computer may actually be built into a complex medical instrument. Replacing those in their entirety is a much bigger job, and even having had extended XP support over 2014-15 it is not clear the NHS could have realistically done so by now. Most home computers on XP have probably long been retired because they were getting too slow for the newest games …
This aspect of the story won’t go away with Microsoft releasing an XP update to combat WannaCry. Every update released for newer Microsoft operating systems addresses and through that implicitly publicizes a vulnerability that may have existed in XP already, with no free public updates provided for that …
Another very political can of worms in this story is that the vulnerability had been known to the NSA, held in their stash of vulnerabilities to exploit when they needed to break into people’s computers. The NSA will likely have known about this one since well before XP support was stopped.
Can you be safe even if you’ve been hit by ransomware?
Yes, provided you had backups of your data. That has always been a good strategy – disc drives can crash, laptops can get stolen, and in this case having a backup allows you to put the original files in place again instead of the maliciously encrypted ones. Because you also need to get rid of the malware, and you need to avoid re-infecting yourself and others, this is a task that should not be undertaken without expertise.
Cyber security researchers are working on research to address all this in various directions, often with interdisciplinary aspects as some of it relates to how humans operate and can be manipulated. Ransomware encryption methods are broken, bitcoin payments on the blockchain are traced, email filtering gets improved to catch more phishing emails.
Funded by the national research funding agency EPSRC, Professor Eerke Boiten at the CTI is leading EMPHASIS, a £900K research project into all aspects of ransomware, with computer scientists, economists, psychologists and criminologists from the universities of Kent, Leeds and Newcastle, De Montfort University and City University London.
This blog post was written by Professor Eerke Boiten, Professor of Cyber Security at the Cyber Technology Institute, De Montfort University, Leicester.