author photo
By Scott Schober
Wed | May 31, 2017 | 4:30 AM PDT

Hoarding is when an individual has difficulty parting with or discarding possessions regardless of their value. But most hoarders eventually have their day of reckoning when their world implodes and their behavior affects not just themselves, but family and friends. Hoarding security vulnerabilities has similar parallels, but on a scale affecting potentially billions of innocent users.

In a piece published in The Atlantic this month by prestigious security expert Bruce Schneier, he profiles the Shadow Brokers, a mysterious group of hackers claiming to have stolen and released exploits that the NSA has been collecting over the years.

One of these exploits includes EternalBlue, a weakness specifically targeting Microsoft Windows file sharing protocols. This vulnerability has since grown into the huge international malware attack known as WannaCry, which locked up hundreds of thousands of computers throughout the UK, Russia, and 150 other countries to date.

And with this exploit in the wild and so many older, unpatched Windows PCs vulnerable, it is only a matter of time before more hacking groups launch waves of targeted attacks. So whose fault is it?

The blame game

There are many players in this game, so it’s hard to know who deserves the most blame. The NSA appears to have developed the exploits in order to gain entry into things like routers, computer networks, certain Windows operating systems, and even SWIFT banking networks. But the NSA didn’t release the malware, and there isn’t any clear evidence that they’ve even used such code.

It’s easier to blame the hackers that stole and released the malware, but some would see this more as whistleblowing rather than a criminal act. After all, they exposed the NSA’s hoarding and intent to infect millions of PCs with spyware.

From there, numerous hackers with all kinds of criminal records and agendas ran with the ball, targeting millions of PCs and subsequently thousands of victims. While they’re anything but blameless, they’re also a constant in this age of internet and cybersecurity.

Trying to stomp out hackers across the internet would be as futile as trying to stomp out a nest of fire ants with your bare feet.

And then there’s Microsoft, whose Windows XP OS was so full of security holes it’s been a prime target for hackers and the NSA alike for years. After all, Microsoft hasn’t released a security update for XP in nearly three years since they officially stopped support. But can they really be expected to support a 15-year-old operating system?

Finally, there’s the victims. It’s never fair to blame victims, but these hospitals, universities, and businesses were all shut down by WannaCry because they still held onto older systems that required Windows XP. They knew the security risks and yet still clung to an antiquated OS full of known security issues.

But the ones we hold to a higher standard to protect citizens are also the ones that started this chain of misguided events and hacks. So how did this happen?

How did this happen?

Most ransomware infects target computers when users click on an attachment or link usually embedded in an email (phishing attacks often start as email spam). These phishing attacks have become increasingly sophisticated and convincing to unsuspecting computer users. When malware is dispensed on the target computer, local files become encrypted, with the hacker holding the only key to decrypt.

In the case of WannaCry, hackers actually used Microsoft’s own encryption scheme to lock away files from users unless the ransom was paid. The hackers then demand the ransom, typically $300 to $600 USD equivalent in Bitcoins (anonymous digital currency), that must be paid within the specified time in order to obtain the key. If the payment is not made, the hacker moves on and the victim is left with a computer full of encrypted, inaccessible files.

According to Tom Bossert, assistant to the president for homeland security and counterterrorism, these hackers actually did future hackers a disservice. To date, only $70,000 total has been netted from ransomware victims, with no payments having led to any data recovery.

So not only have they set the bar very low for the value of that data, but they also didn’t live up to their end of the bargain. It may not come as a shock to learn that criminals don’t play fair, but there are two pieces of advice that I give to anyone worried about ransomware demands: always backup your data to avoid ransomware, but if you do find yourself the victim of a ransomware scam with no backup, don’t pay it.

Most encrypted data is not unlocked for the victims even after payment is made—kind of like a digital smash and grab with little or no chance of a resolution. This is of course anecdotal evidence from many folks I have spoken with over the years because it’s impossible to get enough ransomware victims to publicly identify themselves and provide details of their dilemma to form an accurate outcome pattern prediction.

Short-term criminal minds only end up hurting future criminal schemes.

What are we looking at?

The ransomware identified as a new variant of WannaCry has the ability to rapidly and automatically spread across Microsoft Windows by exploiting a known bug.

The challenge with larger networks is that once the malware gets in, it spreads quickly and is difficult to stop before it infects entire networks. This particular strain of ransomware is called a worm because it can effectively self-spread on its own by exploiting the NSA’s Eternal Blue code.

In response to this global ransomware epidemic, Microsoft has already pushed out a security patch for the ‘Ransom:Win32.WannaCrypt’ malware, but there are most certainly more exploits out there.

The majority of ransomware attacks over the past two years have targeted small and mid-sized businesses, but now we are seeing large corporations affected worldwide.

This new wave of global attacks could have been prevented if the NSA had not hoarded the vulnerability but rather shared it with Microsoft upon discovery. This is always a tricky proposition because we expect organizations like the NSA to protect U.S. citizens, in part, by spying on our enemies.

Of course, when leaked exploits originating from the NSA hurt thousands and potentially millions of U.S. citizens and businesses, some NSA policies must be reviewed and revised.

It is important for computer users to regularly update security patches and discontinue use of older, unsupported operating systems. Businesses need to have a continuity plan in place with proper backup and disaster recovery, so that if and when they are victims they can survive.

Government agencies need to stop hoarding vulnerabilities, and instead, work with manufacturers to patch security weaknesses before they can get into the hands of hackers or state sponsored cyber terrorists.