Featured Product
This Week in Quality Digest Live
Health Care Features
Prashant Yadav
How to build resilient healthcare supply chains
David Stevens
Tracking your assets is critical to patient safety
Kari Miller
An effective strategy requires recruiting qualified personnel familiar with the process and technology
William A. Levinson
People can draw the wrong conclusions due to survivor, survey, and bad news bias.
The Un-Comfort Zone With Robert Wilson
Here’s how to control negative self-talk

More Features

Health Care News
MIT course focuses on the impact of increased longevity on systems and markets
Delivers time, cost, and efficiency savings while streamlining compliance activity
First responders may benefit from NIST contest to reward high-quality incident command dashboards
Enhances clinical data management for medtech companies
Winter 2022 release of Reliance QMS focuses on usability, mobility, and actionable insights
The tabletop diagnostic yields results in an hour and can be programmed to detect variants of the SARS-CoV-2 virus
First Responder UAS Triple Challenge focuses on using optical sensors and data analysis to improve image detection and location
Free education source for global medical device community
Extended validation of Thermo Scientific Salmonella Precis Method simplifies workflows and encompasses challenging food matrices

More News

Wesley McGrew

Health Care

Lessons Learned From the WannaCry Ransomware Attack

When the worm turns

Published: Wednesday, June 7, 2017 - 12:02

Last month, the WannaCry ransomware attack hit more than150 countries and infected tens of thousands of systems worldwide. Among those victimized were England’s National Health Service, automobile manufacturers, and government systems. The worm’s ominous red ransom screen, informing the user that all files have been encrypted, was found not only on users’ desktops, but also on ATM screens, parking meters, digital billboards, and industrial control systems.

College textbooks on computer security have a table of terms for malicious software, including “virus,” “worm,” “Trojan horse,” and (more recently) “ransomware.” Neatly-defined categories are useful when a professor wants to give a multiple-choice test, but the real world is no longer so well-defined. WannaCry combines the defining characteristics of both ransomware and worms.

The dangerous combination of ransomware and worms

A network worm is a type of malicious software that spreads from machine to machine, autonomously, typically using some common vulnerability. Worms that infect large numbers of hosts are not as common as other types of malware, since it requires a reliable exploit for a widespread vulnerability that has a public attack surface. The recent Server Message Block (SMB) vulnerability in Microsoft Windows has readily available exploit code, and despite being patched in March by Microsoft, many organizations have not updated their systems with the fix. This gives WannaCry a target-rich environment in which to spread.

Most users and organizations are more familiar with ransomware than worms—in fact, many have first-hand experience. Combining the rapid and broad spread of a network worm with the damage and monetary demands of ransomware can make for a painful worldwide incident. In a post several months ago, I discussed the evolution of ransomware away from spreading mechanisms that rely on “tricking” the user, toward exploitation of IT infrastructure vulnerabilities.

Who is to blame?

The knee-jerk reaction of the security community is to point the finger at the victims: They should have already applied the patches that fix the SMB vulnerability. The patches have been available for a couple months now. Still, some contend that this is not a realistic expectation. There are devices that cannot be patched easily by the end user (including medical devices and manufacturing equipment), and there is also software that must be tested extensively before being run on a modified operating system.

To patch or not to patch

Should you patch? The answer to this seems obvious, but is more nuanced. When a security advisory is published, you should patch as many systems as you can, as soon as you can. The security industry’s advice to clients can’t end there, however.

You already know that patches occasionally cause as many problems as they fix, destabilizing systems and causing incompatibility with software and hardware. A balance has to be struck where the majority of systems—those running typical desktop software—get patched automatically and quickly, while testing is performed to determine if the patch is safe for the more mission-critical systems. A decision should be made for critical security advisories: Is the risk presented by a new patch greater than the certainty of getting infected with something like WannaCry if the patch is not applied?

Implications of not patching

The decision not to patch a system, such as an old workstation connected to a medical imaging device, is not to be taken lightly. You might be forced to maintain a vulnerable software version by incompatibilities and lack of support by the vendor. That means you have to take further action to secure that system. Network segmentation and isolation are key elements of defending these systems. So, implement firewalls and access controls that prevent other systems from communicating with these vulnerable devices unless they have an operational need to do so.

Future outbreaks of malicious software are likely to contain damaging and expensive ransomware payloads. Keeping up to date with operating system and software patches is important. When it’s not possible to patch, it’s your responsibility to implement security controls and intensive monitoring around the otherwise-vulnerable systems—or reap the consequences.


About The Author

Wesley McGrew’s picture

Wesley McGrew

Wesley McGrew serves as the director of cyber operations for HORNE Cyber Solutions. Known for his work in offensive information security and cyber operations, McGrew specializes in penetration testing, network vulnerability analysis, exploit development, reverse engineering of malicious software and network traffic analysis.