A global cyberattack unleashed Friday has reportedly affected more than 200,000 computers across more than 150 countries. The "ransomware," called "WannaCry," exploits a vulnerability in the Windows operating system. The attacks hit companies and governments, encrypting users' computers and demanding bitcoin payments in exchange for unlocking the files. Asia was hit particularly hard Monday, because many businesses there had closed when the attack first struck on Friday.
We asked four faculty members—professors Engin Kirda and Alina Oprea, experts in cybersecurity, and professors Jeffrey Born and Martin Dias, of the D'Amore-McKim School of Business—to assess the nature of the cyberattack and what it means for the businesses and other affected institutions going forward.
Kirda: The scale was large, but I would not say that it was surprising. "Ransomware" has been a problem for a while, and many different organizations have been hit in the past. In this specific case, the interesting issue was that a specific "ransomware" campaign managed to infect many organizations in a very short period of time. Looking at this historically, however, we have seen this type of thing before. For example, in the 90s and early 2000s, internet worms used to spread this quickly as well. The main difference today, though, is that the attackers are aiming to make money.
Oprea: One interesting aspect of this attack was the synchronization across different countries and continents and the variety of targeted organizations, which ranged from hospitals to academic institutions. Clearly, this was a well-organized attack with a larger scale than previous campaigns.
Oprea: We could not blame a single entity for this attack, as cybersecurity is a complex ecosystem. But this attack shows that intelligence and government agencies need to work closely with vendors and industry to patch vulnerable software and prevent large-scale catastrophic effects such as the ones we just experienced.
Oprea: Cybersecurity should become a priority for all organizations across various sectors, and this incident demonstrates this one more time. Organizations need to develop basic security programs that involve patching their software, deploying various defenses, and having clear plans for incident response. They should try to become more proactive about preventing these incidents, rather than trying to recover after the fact.
Various news outlets reported that an expert stopped the spread of attack by activating the software's "kill switch." What is a kill switch, and why would something like this be built into a cyberattack?
Kirda: A kill switch in any system is a mechanism that would deactivate that system right away. In this specific case, the malware, apparently, was contacting a domain name that hadn't been registered yet. Whenever the domain was available, the malware would stop spreading. We can only speculate on why the authors of the malware would choose to have a kill switch like this. Anything is possible.
Born: I think the ransom demand for bitcoins has a lot more to do with the perceived cybersecurity of the "currency" rather than the recent price strength in bitcoins. Bitcoins are not issued by countries, and their transfer has become even more difficult to trace. This provides the criminal element an opportunity to conduct transportation in virtual secrecy. Bitcoins have always been popular with those looking to cover their financial tracks. The development of the block-chain technology has made them even more stealthy, which has helped drive their market prices up substantially. It may not be an ideal endorsement in a marketing sense, but this use as a ransom will no doubt drive bitcoin popularity even higher.