SAN FRANCISCO – The massive WannaCry ransomware attack has hit hundreds of thousands of computers from Taiwan to the United Kingdom. Despite the global nature of the attack, few networks and companies in the United States appear to have been hit.
The reason, say cybersecurity analysts, is a combination of luck, geography, and adherence to software updates, though the United States is by no means invulnerable to such attacks.
The ransomware encrypted all the files on an infected computer and demanded the equivalent of approximately $300 in bitcoin, an untraceable digital currency, to unlock a user’s data. It began Friday and quickly spread, infecting computers at Spanish phone company Telefonica, one-fifth of the hospitals in the United Kingdom – forcing some doctors to halt procedures or turn patients away – as well as automaker Renault and U.S. shipper FedEx. Over the weekend, it hit thousands of computers in Asia.
But fears it would bring companies to a standstill Monday morning weren’t realized.
“The good news is the infection rates have slowed over the weekend,” said U.S. homeland security adviser Tom Bossert in a press conference Monday. He said the attack affected more than 300,000 victims in 150 countries, but only a small number of U.S. parties fell victim. U.S. federal systems hadn’t been infected, he said.
U.S. roots but few U.S. infections
The WannaCry ransomware takes advantage of flaws in unpatched copies of some versions of Windows, especially Windows XP. Users still running that operating system, which Microsoft stopped supporting three years ago, were vulnerable to an attack. Microsoft issued a patch to fix the vulnerability on March 14 but many systems did not install it.
Ransomware has existed since at least 2005, but this one is different, making the attack more worrisome.
Unlike typical ransomware hacks, which require an individual user to open an emailed attachment or click on an advertisement that contains malicious software, the WannaCry hack appears able to transmit itself without the user doing anything.
“WannaCry is the first one to completely automate,” said Craig Williams, a senior technical leader at at Talos, the security research arm of tech company Cisco.
The ransomware spreads from network to network, using a vulnerability taken from cyber tools released in an online data dump by a group calling itself the Shadow Brokers. Some cyber analysts say the group stole the vulnerability from the National Security Agency.
Asked in a press conference on Monday whether the code had indeed originally come from the NSA, Bossert it “was not a tool developed by the NSA to hold ransom data. This was a tool developed by culpable parties, potentially criminals or foreign nation-states.”
He did not address the issue of whether the original exploitable flaw the ransomware was based on came from NSA cyber tools.
The swift-moving spread of the malware over the weekend prompted some to fear a second wave of locked machines and halted systems on Monday. Adding to those fears: security analysts said unblocked variants of the original malware were attacking.
While the initial version of the ransomware was disabled within about seven hours, at least 469 copycat variations have been released since Monday, according to Andreas Marx with AV-Test, a German-based security testing company.
The United States may have dodged the attack because companies keep software updated, pressured by the threat of lawsuits. “We’re more litigious, companies know there will be consequences if they’re not adequately protected,” said Ed Stroz, co-founder of Stroz Friedberg, a New York City-based digital risk management firm.
U.S. companies and individuals are also more security-conscious – and, frankly, wealthy enough – they can afford to run security programs that proved protective against the software.
Pirated versions of Windows blamed
Another reason computers in the United States were not so hard-hit is that companies and individuals in the United States are much less likely to run pirated versions of the Windows operating system, said Adam Levin, chair of CyberScout, a data risk service.
That’s not always the case, especially in Asia and eastern Europe, which appear to have been hardest hit by the attack.
“If you buy bootleg software, and we know this is a big problem in other parts of the world, you may be taking on risk you didn’t even realize you were taking,” Levin said.
Not every country or company is as aggressive about security patches as it should be. “The U.S. generally has (paid) more attention to security than other countries may,” said Sean Dillon, a senior security analyst with RiskSense Inc.
People who are running older computers and software may be more vulnerable because they don’t necessarily have access to the newest security bells and whistles.
“Because of the way in which the worm spreads, its success will be directly correlated to organizations that have the vulnerability still open. It’s reasonable to assume that there are large populations of those systems in certain countries,” said Steve Grobman, chief technology officer at McAfee.
Another explanation has been that WannaCry was not actually active for very long before it was shut down by a 22-year-old security researcher in London who goes by the name MalwareTech. By most accounts, it only ran for about seven hours, from 3:30 a.m. ET on Friday to about 10 a.m. ET.
Because the malware spread from unprotected network to unprotected network, it relied upon quirks of geography and topology to propagate. Networks within countries and regions tend to be more densely connected than those physically distant from each other, so with the largest sites of infection in eastern Europe and Asia, there weren’t as many likely jumps it could make to the United States.
Had it found one early on, the U.S. could have been much more heavily hit. Timing, proximity and luck all played parts, said Stroz.
“I never take luck out of the equation,” he said.
Follow USA TODAY reporters Elizabeth Weise and Mike Snider on Twitter: @eweise & @MikeSnider.
Read or Share this story: https://usat.ly/2rjFoEV