Featured Product
This Week in Quality Digest Live
Health Care Features
Ryan E. Day
How BioBridge Global leverages a digital QMS in the heavily regulated world of regenerative medicines
Taran March @ Quality Digest
From digital submissions to integrated document control, the agency moves into the lean arena
Dirk Dusharme @ Quality Digest
By scaring off small medical-device companies, Canada could limit number of important and innovative products
Mike Richman
For answers to some troubling life-science questions, ask a quality professional
Ryan E. Day
Finch Therapeutics forges a QMS for a life-saving treatment not yet approved by the FDA

More Features

Health Care News
Transforming a dysfunctional industry
An invite from Alcon Laboratories
Intended to harmonize domestic and international requirements
The FDA wants medical device manufactures to succeed, new technologies in supply chain managment
Neuroscientists train a deep neural network to analyze speech and music
Pharma quality teams will have performance-oriented objectives as well as regulatory compliance goals
The FDA’s RMAT designation goes live
New company will focus on technologies for the management and automation of vital clinical processes

More News

Wesley McGrew

Health Care

Lessons Learned From the WannaCry Ransomware Attack

When the worm turns

Published: Wednesday, June 7, 2017 - 11:02

Last month, the WannaCry ransomware attack hit more than150 countries and infected tens of thousands of systems worldwide. Among those victimized were England’s National Health Service, automobile manufacturers, and government systems. The worm’s ominous red ransom screen, informing the user that all files have been encrypted, was found not only on users’ desktops, but also on ATM screens, parking meters, digital billboards, and industrial control systems.

College textbooks on computer security have a table of terms for malicious software, including “virus,” “worm,” “Trojan horse,” and (more recently) “ransomware.” Neatly-defined categories are useful when a professor wants to give a multiple-choice test, but the real world is no longer so well-defined. WannaCry combines the defining characteristics of both ransomware and worms.

The dangerous combination of ransomware and worms

A network worm is a type of malicious software that spreads from machine to machine, autonomously, typically using some common vulnerability. Worms that infect large numbers of hosts are not as common as other types of malware, since it requires a reliable exploit for a widespread vulnerability that has a public attack surface. The recent Server Message Block (SMB) vulnerability in Microsoft Windows has readily available exploit code, and despite being patched in March by Microsoft, many organizations have not updated their systems with the fix. This gives WannaCry a target-rich environment in which to spread.

Most users and organizations are more familiar with ransomware than worms—in fact, many have first-hand experience. Combining the rapid and broad spread of a network worm with the damage and monetary demands of ransomware can make for a painful worldwide incident. In a post several months ago, I discussed the evolution of ransomware away from spreading mechanisms that rely on “tricking” the user, toward exploitation of IT infrastructure vulnerabilities.

Who is to blame?

The knee-jerk reaction of the security community is to point the finger at the victims: They should have already applied the patches that fix the SMB vulnerability. The patches have been available for a couple months now. Still, some contend that this is not a realistic expectation. There are devices that cannot be patched easily by the end user (including medical devices and manufacturing equipment), and there is also software that must be tested extensively before being run on a modified operating system.

To patch or not to patch

Should you patch? The answer to this seems obvious, but is more nuanced. When a security advisory is published, you should patch as many systems as you can, as soon as you can. The security industry’s advice to clients can’t end there, however.

You already know that patches occasionally cause as many problems as they fix, destabilizing systems and causing incompatibility with software and hardware. A balance has to be struck where the majority of systems—those running typical desktop software—get patched automatically and quickly, while testing is performed to determine if the patch is safe for the more mission-critical systems. A decision should be made for critical security advisories: Is the risk presented by a new patch greater than the certainty of getting infected with something like WannaCry if the patch is not applied?

Implications of not patching

The decision not to patch a system, such as an old workstation connected to a medical imaging device, is not to be taken lightly. You might be forced to maintain a vulnerable software version by incompatibilities and lack of support by the vendor. That means you have to take further action to secure that system. Network segmentation and isolation are key elements of defending these systems. So, implement firewalls and access controls that prevent other systems from communicating with these vulnerable devices unless they have an operational need to do so.

Future outbreaks of malicious software are likely to contain damaging and expensive ransomware payloads. Keeping up to date with operating system and software patches is important. When it’s not possible to patch, it’s your responsibility to implement security controls and intensive monitoring around the otherwise-vulnerable systems—or reap the consequences.


About The Author

Wesley McGrew’s picture

Wesley McGrew

Wesley McGrew serves as the director of cyber operations for HORNE Cyber Solutions. Known for his work in offensive information security and cyber operations, McGrew specializes in penetration testing, network vulnerability analysis, exploit development, reverse engineering of malicious software and network traffic analysis.