From Silicon To Software


Recent Ransomware Attacks Produce Tangible Financial (and Possibly Human) Costs

display stock market numbers and graph

In recent financial reports, some global organizations are now reporting losses averaging $300 million USD as the result of malicious software first spread in early 2017.

Twenty years ago, malicious software could knock individual computers off the internet and destroy data. Others could even cripple the hardware, rendering the circuitry in the machine useless. While high-profile malware attacks in the early 2000s such as Melissa and ILOVEYOU did result in quantifiable lost productivity, the attacks in 2017 have so far produced the first tangible and significant effects on the victim organization’s bottom line and, perhaps, may result in the loss of human life.

One reason for this dramatic shift is that software is much more common today. It’s not just on an organization’s mainframe or within a laptop, it’s everywhere. Software now powers our day-to-day life in our cars, in our hospitals, and in our critical infrastructure. So when the data it produces become corrupted or otherwise inaccessible, the consequences can be great.

Ransomware is a very specific type of malware that encrypts data on a target machine, making it useless to the end-user until a ransom is paid. While ransomware has existed for years, it was previously a one-off affair—a victim here, a victim there, generally under the radar. In early 2017, however, ransomware went viral; it affected thousands of computers on its own within a matter of hours.

Enabling this wildfire spread of malware was the disclosure of a critical vulnerability in a common Microsoft Windows messaging protocol known as Server Message Block or SMB. In April, a group known as the Shadow Brokers released an SMB exploit, Eternal Blue, that leveraged this vulnerability. Perhaps anticipating that exploit disclosure, Microsoft proactively released a very comprehensive SMB patch in March. Unfortunately, not every vulnerable computer was patched in time for the first wave of attacks some four weeks later.

In May, the WannaCry ransomware swept the globe in a few short hours, holding hundreds of thousands of unpatched SMB-enabled Windows computer systems hostage until payment of $300 in Bitcoin was received for each system affected. There is good reason to think WannaCry was premature, more of a proof-of-concept malware than actual attack malware. Evidence―such as the malware containing a kill witch, a method to allow the malware’s author to stop its growth―suggests WannaCry might have been a precursor for an even larger attack.

Sure enough, in June, a more targeted and much more damaging attack known as Petya/NotPetya. (Here, both names are used because the ransomware used lines of code from an existing malware named Petya yet some felt it deviated significantly, hence NotPetya.) Instead of infecting the world, Petya/NotPetya’s targets were initially limited to utility systems found within the Ukraine. However, the underlying vulnerabilities―the same SMB vulnerabilities that WannaCry had exploited a month earlier —were still unpatched in other large multinational systems, and as Petya/NotPetya spread it produced considerable collateral damage beyond its targets. That’s when the organizational costs started to hit the bottom line―not from the ransom paid but from the lack of productivity because of the ransomware.

Mearsk, a global shipping organization, responsible for about 15 percent of the world’s shipping traffic, reported in its Third Quarter earnings that it was reduced to using pen and paper for several days to keep track of its cargo at sea. The company estimated its losses attributable to Petya/NotPetya to be between $200 and $300 million in lost business. Another shipping company, FedEx, reported one of its business units, TNT Express, also had losses estimated to be $300 million or more.

Perhaps more important than quarterly losses is the potential loss of life as a result of these attacks. In May, WannaCry hit National Health Service hospitals in the UK particularly hard, causing several to close abruptly and reschedule non-critical surgeries. The following month, hospitals in the U.S. were hit with Petya/NotPetya. In both cases the affected hospitals were running outdated and unpatched Microsoft Windows operating systems, making them vulnerable. Hopefully no loss of life will be directly associated with these attacks; however, researchers are monitoring the monthly mortality rates for the hospitals affected by the outbreaks for any sign of correlation.

And it’s not just hospitals. Merck, the U.S. pharmaceutical company, reported it was also negatively impacted by the two sets of back-to-back ransomware attacks. In a public letter from Energy and Commerce Committee Chairman Greg Walden (R-OR) and Oversight and Investigations Subcommittee Chairman Tim Murphy (R-PA), the representatives of the congressional subcommittee members asked:

“While there is no evidence, to date, that Merck’s manufacturing disruption has created a risk to patients, it certainly raises concerns. For example, in a recent update on national vaccine supply, the CDC reported that Merck would not be distributing certain formulations of the Hepatitis B vaccine. While it is unclear whether this is related to the NotPetya disruption, and much of the supply can be filled by other manufacturers, it does raise questions about how the nation is prepared to address a significant disruption to critical medical supplies.”

Bottom line, now that software is everywhere, malware can have a direct, life-critical consequence in sensitive industries such as healthcare. Therefore, we must make sure the software in any device is both of high quality and secure.

That process must start very early in the design phase by creating a threat model specific to your business and then testing that model throughout the software development life cycle. Additionally, it is the combined responsibility of both the software vendor and the end-user to test and retest on a regular basis all software put into production today.

The consequences of not following software security best practices are becoming too great to ignore.