A global ransomware attack hit thousands of Windows-based computers late last week, locking users’ files and demanding Bitcoin payment to unlock them.
The attack, called WannaCry (or WannaCrypt), is a lesson to both the IT industry and consumers, Microsoft’s President and Chief Legal Officer Brad Smith argued in a blog post Sunday. But most of all, it is a wake-up call for governments, whose stockpiling of software vulnerabilities can be as dangerous as getting their missiles stolen.
According to Smith, all Windows computers that are fully updated are safe from the attack, and Microsoft has been “working around the clock since Friday to help all our customers who have been affected by this incident.”
And while the attack shows how important it is for users and companies to keep their computers updated — as well as tech companies such as Microsoft to promptly release security updates and make sure their users get them — a big part of the responsibility lies, Smith argues, on government agencies which should rethink the practice of keeping zero-day software exploits secret.
“An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen”
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. (…) We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” wrote Smith.
The exploit that WannaCry is based on is called “EternalBlue” and comes from a trove of exploits stolen from the NSA and released on the web by a group of hackers called the Shadow Brokers. Just like the recent Vault 7 WikiLeaks data dump — a massive collection of CIA hacking tools, released to the public — the NSA exploits showed that government agencies aren’t able to prevent their cyber weapons from leaking to the public.
“The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world,” wrote Smith.
Meanwhile — despite a temporary “kill switch” measure developed by a couple of young experts — a second wave of the attack is expected to occur Monday, as many companies’ employees arrive at work and start turning on their computers.