Researchers with security software maker Avast said they had counted 126,534 ransomware infections in 99 countries, marking a cyber attack of an unprecedented scale. While this colossal digital upset may have begun with a vulnerability in Microsoft Windows (specifically MS17010), experts say it likely won’t end there.
WATCH: Admiral Mike Rogers: No drop in Russian cyber attacks since the election
The National Security Agency (NSA) reportedly identified the vulnerabilities, which Microsoft released a patch for in March. But computers that didn’t run these updates were subject to the ransomware attack. Matthew Hickey, founder of Manchester-based Hacker House, explains that exploits for those vulnerabilities were disclosed over Easter Weekend.
These exploits, which Hickey calls “highly reliable” and “weaponized,” were then released onto the Internet by a group called the ShadowBrokers and made available to be downloaded by anyone wanting to engage in espionage or cyber crime.
“These tools were then picked up by criminals, who repackaged them, re-purposed them, and added their own malicious code to them – in this case the WannaCry ransomware, and then unleashed those onto the Internet so they would spread and infect and damage as many systems as possible,” says Hickey.
These attacks came to a halt on Saturday however, when a U.K. cyber security researcher accidentally activated a “kill switch” in the malware, with the help of Darien Huss from security firm Proofpoint.
According to a statement from Proofpoint, the malware authors originally inserted the domain to allow them to turn off the ransomware spread if they chose to do so, but failed to register the domain.
Hickey goes on to explain that to slow the spread of the malware, the researcher registered the website domain that the malicious code was probing for. However, he adds that this fix only stops one strain of the malware.
WATCH: Accidental hero slows down international ransomwear attack. Shirlee Engel reports.
“The problem for this particular malicious code is it takes just a matter of seconds for someone to disable that fix and to re-spread it. Whilst this researcher has slowed the spread of the malware by registering that domain, new variants are popping up, new versions will continue to spread online and it will continue to be an issue,” he says.
Cybersecurity expert Katie Moussouris adds that in addition to being able to adapt the malware to effectively dodge this temporary fix, the author of the malware will be able to do so sooner rather than later.
“Yeah, absolutely it’s still spreading, and the authors or criminals or even a new set of criminals would be able to adapt the malware pretty quickly to avoid the temporary pause that this researcher found. Within the next 24 to 72 hours, I would say an adapted version of this malware will probably emerge that bypasses that temporary pause,” says Moussouris.
While it’s not a perfect solution, it does allow corporations and individuals the time they need to update their devices with the latest security fixes and patches to protect themselves from further damage.
WATCH: Macron Leaks: French presidential candidate’s emails hacked
“It’s just given us a short window to apply these fixes and then new versions will continue to spread. So the most important thing that people can take away from this is we need to apply the MS17010 fix. They should have done that back in March, they should have done that back in April when they were alerted about it and they should continue to be fully aware that these threats are out there and they should be not caught off guard as this continues to spread,” Hickey explains.
Moussouris, however, believes that policy-makers can do more to protect themselves against attacks of this magnitude in the future. By requiring manufacturers of the equipment used in public and private institutions to include a self-applicable update mechanism, these groups would be more likely to apply security patches in a timely fashion.
“Update mechanisms can be complicated, so I think policy makers as a rule should say new devices, and especially ones that are critical to human life and public safety need to have an update mechanism. Not something where only a service technician could possibly update it for you,” she says.
“You should be allowed to update a lot of these things yourself. Policy makers can definitely make a difference if they legislate and make it required that these types of manufactures provide an update mechanism and that it’s self-applicable.”
To help combat these attacks, on Saturday Microsoft made security fixes available for older Windows systems, which will be free for everyone.