The Blame Game: The Definitive Guide To Who's At Fault For The Ransomware Cyberattack

A luxury hotel in Austria pays ransom — for the fourth time — when hackers keep the keycards of guests out of their ritzy rooms.

The San Francisco transit system resists the urge to buy its way out of a hack that kidnaps its light-rail system, leaving strap-hangers unhinged.

A premier computer college in the United States stages a dramatic demonstration: It hacks the water treatment plant of a city and adjusts the controls so that everybody who drinks the water dies from an overdose of chlorine. Theoretically.

These are things that happened before the unprecedented “WannaCry” ransomware ran amuck on May 12 from China to Russia to Britain’s hallowed National Health Service to roughly 150 countries in general, including the United States, the German train system and some malls in Singapore.

It’s anybody’s guess how many people will pay money to free data that has been criminally encrypted and held hostage, with the deadline of one week having expired on May 19 for the death of data on upward of 200,000 systems that the “WannaCry” ransomware froze at hospitals, businesses, governments and homes around the globe.

A shadowy group called the Shadow Brokers used a hack technique poached from the U.S. National Security Agency, which is in the business of exploiting software flaws for intelligence purposes.

The running gauge of money ponied up was slightly more than $92,000, though more effort appears to have been spent less on meeting extortion demands than figuring out fixes and ways to prevent such a sweeping, unprecedented plague — which happened only because people paid the hostage ransom in previous attacks — from happening again on an even larger scale.

See Also: What Is Ransomware, What Are 'Worms' And How Do You Stop Them?

The Blame Game

There are no easy answers, and all are expensive.

“In general, any kind of extortion is problematic to pay. Not only does it encourage the people (who spread the worm) but there is no guarantee that they are going to return the data,” Eugene H. Spafford, executive director of Purdue University's Center for Education and Research in Information Assurance and Security, told Benzinga.

Here’s a breakdown of just who’s to blame for what many say is the worst ransomware outbreak to date, though not nearly the worst one yet to come.

The US Intelligence Community

Brad Smith, president and chief legal officer for the Microsoft Corporation MSFT made waves in a blog post that laid much of the blame on users who didn’t update their computer systems and on intelligence agencies which practice the “stockpiling of vulnerabilities.”

“This is an emerging pattern in 2017,” Smith wrote. “We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.

“An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”

Spafford said Smith, obviously, has a vested interest in protecting Microsoft. To a fault.

“Blaming the NSA is misguided,” he said. “We depend on our intelligence agencies to gather information to protect the nation. The place I would fault the NSA is not doing a better job in securing what they found.”

“For people who like to beat up on intelligence services, this was a gift,” he said. “But the same flaw could have been found by organized crime gangs, the Russians, hobbyists in garages, and the same thing would have happened.”

Microsoft

Microsoft doesn’t support Windows XP or Windows 7 anymore, and it was two days into the cyberattacks before the company made a patch available to those many users. And about those patches: They imply the software was exploitable to begin with, which it usually is.

The argument is that Microsoft software and its endless cycle of patches and fixes is inherently open to manipulation and invasion. It comes to market first and then is fixed later in a reactive way.

“I am not in the business world and I do appreciate there is a cost with maintaining older systems. I think Microsoft has some responsibility,” said Raheem Beyah, associate chair for strategic initiatives and innovation at the Georgia Institute of Technology’s School of Electrical & Computer Engineering.

But he said people who use computers, no matter what the setting, need to build the cost of security into their budgets, and software companies have to prioritize it at the development level. Market forces drive a lot of the holes in security.

“With regards to dropping support of operating systems, Microsoft has been pretty generous in giving many years for migration and upgrade,” said Kevin Hayes, director of information security at Wayne State University in Detroit. “They have shown to be pretty flexible, however many public institutions are running on legacy applications that cannot support an updated Windows.”

See Also: Proofpoint Keeps Chugging After Ransomware Attacks

The End Users

Just about everybody agrees that people and institutions should update their computers, and Microsoft notes it had a patch available two months ago. But many institutional users, particularly in the public sector, don’t have the money to upgrade.

Still, a fundamental change in the way people think about security needs to be made, said Hayes.

“In running computer systems in the enterprise at the end of the day, the buck stops with senior management not prioritizing security and simply accepting the risk that grows every day,” he said.

Spafford said more and more software is embedded into the hardware, particularly medical equipment. That’s difficult to patch, which brings us to the next blameworthy group.

Third-Party Vendors

“We have a lot of blame for third-party vendors for embedded software that is not immediately patchable or difficult to patch,” Spafford said. “The problem is only going to get worse.”

Third parties making products may find it easy to load a version of Linux or Microsoft without the ability to fix an exploitable flaw very easily, if at all, he said.

HealthcareITNews said three-quarters of the businesses it surveyed — this is well before the “WannaCry” invasion — said cyberattack concerns were related to third-party vendors. Singapore reported that the “WannaCry” worm infiltrated malls there through a third party that provided digital directories.

“Companies that build in easily broken software have no real liability for those decisions,” Spafford said. “You can argue that it is the fault of Microsoft, but a lot of the blame is the vendors that applied it in mission-critical systems.”

The Internet Of Things

“The Internet of Things” — IoT to the cognoscente — is the term for the dizzying connectivity of the modern world, and the fact that a computer interface is in everything from children’s toys to smart refrigerators, providing entry points to build and exploit databases of everything from IP addresses to overheard conversations.

“Simply because we can make your coffee maker publish what you’re brewing on Twitter isn’t necessary,” Spafford said. “It opens up something on your network that endangers your system.”

The stakes are tremendously high. Beyah said his team simulated an attack on a city water treatment plant.

“We ultimately poisoned the city’s drinking water with high doses of chlorine, which would have tremendous consequences were it real life,” he wrote in a paper on the project.

That same paper listed a number of cases in which ransomware victims actually paid up what is an affordable price point of about $300 in bitcoin, a pittance that feeds a growing monster.

Adam Slagell, chief information security officer at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign, told Benzinga that the problems aren’t just technical, but socio-economic.

“The challenge here are not the workstations, servers, and laptops running old versions of Windows, but rather the embedded devices and special hardware,” he said. “While the risk of running an old projector that gets compromised may be minimal, the risk of a compromised piece of medical equipment can be quite high.”

“In this way, the problem differs little from the problem of securing the Internet of Things that have led to many of the largest bonnets online. Many manufactures have no plans for long term updates or support for the software of their ‘smart’ devices.”

The Bad Guys

It goes without saying that people who sabotage medical records, and demand ransoms they sometimes get, are not good people.

“Clearly, the fault is with whomever wrote the (malevolent) software,” said Spafford.