The cruel reality of a global ransomware attack that crippled computer systems in 150 countries on Friday is this: Attackers took advantage of under-prepared computer users and their organizations.
Enterprises -- including manufacturers, car makers, hospitals and government agencies -- were running older versions of Windows or hadn't patched even the newest Windows versions with a patch that Microsoft released in March.
And, truth be told, some unsuspecting users evidently clicked on email links or, more likely, a suspected compressed Zip file attachment that launched the ransomware known as WannaCry, also known as WannaCrypt or WannaCrypto.
WannaCry spread laterally inside organizations, wormlike, via their networks in unprecedented fashion, experts said. It infected more than 200,000 users in more than 150 countries, British officials estimated over the weekend.
Experts expressed fears over the weekend that a variant of WannaCry would suddenly appear and infect more machines as workers returned to work on Monday, putting them out of reach of a kill switch found by a researcher shortly after the outbreak. But Europol, a European law enforcement agency, said the number of infected computers did not increase as expected early Monday -- a modest success.
Computers infected by WannaCry are frozen until ransom of $300 in bitcoin or more per device is paid. Officials in London said some surgeries at hospitals had to be delayed because patient records could not be accessed. The National Health Service of the U.K. sent repeated advice to its IT staff over the weekend, calling for them to isolate the infected computers and run the needed Windows patches on separate, uninfected and refreshed computers before adding them into the network.
The ransomware hit several countries in Europe before it spread to other computers, including ATMs in China and the Interior Ministry in Russia. In the U.S., even FedEx was hit, with the malware infecting "some Windows-based systems," the company acknowledged in an email, without elaboration.
The attackers used tools first developed by the U.S. National Security Agency to counter terrorists; the tools were stolen by a group called Shadow Brokers with reported ties to the Russian government. Some U.S. analysts said the attackers responsible for the WannaCry attack were more likely to be a criminal gang, however, motivated by the need to raise ransom.
A spy tale gone awry
What happened with WannaCry was an improbable spy tale layered on top of widespread lax cybersecurity by should-be smart users, IT staff and sophisticated companies.
"It was the perfect storm," said Gartner analyst Avivah Litan on Sunday.
"It was the public disclosure of the NSA-discovered Windows vulnerability combined with ransomware that was spread virulently using worm techniques and bitcoin's anonymous currency that has been used for criminal payments," she added.
"A 9-11 for the cyber world is yet to happen, but we just got a taste of it with WannaCry," said Melih Abdulhayoglu, founder and CEO of cybersecurity company Comodo, in an email.
What makes the WannaCry attack even harder to take is that it is likely to happen again. "I'd be surprised if we don't see many more of these formulaic stack [attacks] in the future," Litan said.
"It loudly calls out the need for timely patch management and other layered security measures that must be applied to endpoints and corporate networks," Litan said.
How to prepare for another attack
John Halamka, CIO at Beth Israel Deaconess Medical Center in Boston, said organizations need a multi-layered defense to reduce such risks. "It's a combination of policy, technology and education," he said in an interview.
The policy portion might be so extreme that all workstations in an organization might need to be "read-only," so that ransomware-laden emails cannot be accidentally opened and executed, he said.
Technology could be used to provide web content filtering so that no URLs or attachments ever arrive directly in an email and users can't click on any malware, he added.
Finally, education might include providing organization-sponsored internal phishing campaigns to train employees not to click on an unexpected attachment, Halamka said.
Many organizations have instituted such campaigns, including IDG, the parent of Computerworld, to train busy end-users to avoid clicking on links or attachments in email without more taking time for more careful consideration of what the link might do.
Hospitals sometimes need old Windows XP to run critical apps
Despite his advice, Halamka didn't blame hospitals for being tardy in updating to the latest Windows OS version or applying the latest patch.
"Each time a patch is introduced, the act of changing a hospital's mission-critical system often impacts its reliability and functionality," he said.
"Some mission-critical systems were created years ago and never migrated to modern platforms," he added. "In 2017, there are still commercial products that require [older] Windows XP for which few patches are available." He didn't elaborate on which products.
Healthcare organizations may put a top priority on application functionality and uptime over security, he noted. By doing so, they may not always have the most up-to-date software.
"Healthcare in general may be more vulnerable than other industries to cyberattacks -- and the scope of the impact to the National Health Service in the U.K. illustrates this problem," Halamka said.
Jack Gold, an analyst at J. Gold Associates, said WannaCry seems to have targeted Windows XP machines that are still prevalent in many organizations, especially in healthcare. "If you are running on three-generation-old XP, you are taking a pretty big risk and gambling your security every day," he said.
The WannaCry ransomware also attacked Renault and Nissan factories, which suggests that there should be alternatives to patching for devices like cars and widely dispersed internet of things devices that don't have a human being present to manage them all the time, said Tal Ben-David, vice president of Karamba Security , which provides cybersecurity software for connected and autonomous vehicles.
"A patching strategy would let hackers put lives at risk for months," he said. "The only answer is to harden car or other life-risking IoT systems to their factory settings, which would secure those systems against attacks without relying on security patches."
A debate over whether to harden IoT devices to prevent hacks could take years -- the down side of hardening is that the devices can't then be easily updated. But analysts and industry experts said enterprises can take the most obvious steps now by patching apps and operating systems with the latest updates.
Experts also reminded organizations to frequently back up data so that machines infected with malware or ransomware can be taken off-line and alternative machines can be brought online and connected with backed-up data.
U.S. CERT (Computer Emergency Readiness Team) updated its advice on ransomware after Friday's attack first hit.
CERT urges users to take care when clicking on links in email, even if the sender is known. It also warns against revealing personal and financial information in email, which could become grist for future phishing attacks.
What is evident from WannaCry is that many, many organizations aren't sufficiently prepared for a widespread ransomware attack. Ransomware has been around for 30 years, but can now be spread quickly -- and globally -- in wormlike fashion.
WannaCry and other ransomware "reinforces the need for organizations to figure out how to classify, separate and wall off their data in order to reduce the risk of data being inappropriately accessed and permanently lost," said Don Foster, senior director of solutions marketing at Commvault, a data protection technology company, via email. "Discussions need to take place at the board level about an organization's data recovery strategy."
Gartner's Litan said that to some extent, IT staffers are on their own to protect against ransomware by taking basic precautions like backup. "All the security vendors have a long way to go" to protect against ransomware, she said. "Ransomware has been half the problem our clients have faced in the last year and a half."