Global cyberattack no surprise to Dartmouth experts

Monitor staff
Published: 5/13/2017 11:07:49 PM

Friday’s massive ransomware attack that affected tens of thousands of computers throughout the world, many associated with hospitals and medical systems, came as no surprise to experts who have watched the world rush to install networks without enough security preparation.

“We expect to see more of these stories,” said Sergey Bratus, a research associate professor at the Computer Science Department at Dartmouth College.

Bratus was responding to Monitor requests for a comment Friday afternoon, when news of the ransomware attack was still unfolding. The attack involved sneaking software onto a system and encrypting files, making the system unusable unless a ransom is paid.

Institutions and government agencies in more than 100 countries were affected, including the Russian Interior Ministry, FedEx in the United States and Britain’s National Health Service. It would have been worse, except that a cyber security expert stumbled on a “kill switch” built into the malicious code and stopped it from spreading further.

Bratus noted that many systems which had been infected were still running Windows XP, a version of the operating system so old that Microsoft no longer provides security updates.

A number of high-profile attacks occurred in hospitals and health agencies, such as Britain’s health service.

“I don’t know the exact reason, but replacing a (computer) system in a hospital is no easy matter. If, when it was put in, there were no specific plans for how the upgrade cycle would go … if that sort of risk analysis was not done, then it is a problem,” he said.

According to news reports, the attacks exploited a problem with the SMB protocol, a basic part of Windows networking that has had vulnerabilities in the past. They apparently took advantage of a Windows vulnerability known as EteneralBlue that allegedly originated with the National Security Agency, which became known recently when a number of alleged NSA software tools were made public by a hacking group.

Bratus said the connection to the NSA vulnerability is not necessarily important, because the business of hacking networks to collect money via ransomware is so widespread that problems are likely to be found, and ways to exploit weaknesses will be created and sold.

“It is not unusual for criminals to buy exploits.” Bratus said. “This is a thriving industry in the underworld. The underground economy is robust and diversified, there is a lot of separation of labor in it.”

The main thing that happened with the release of the NSA data is that it provided a new tool that many criminals could use for free, which may explain why it showed up in so many places at about the same time.

“When a new piece comes around for free, you would expect they would use it too,” he said.

It’s also not unusual that the medical community was a main target, he said.

Hospitals have long been prime targets for ransomware because they are more likely to pay up quickly, since damage can put lives at risk. Further, the recent adoption of electronic medical records means many have had to add new and complicated computer systems, and may not have had time to develop security.

“Ransomware in hospitals is already routine. Perhaps for this particular outbreak, the novelty is in how many organizations are targeted at the same time. But when you are putting computer systems in hospitals, often without appropriate risk analysis, you’ve created a victim population – and a victim population will draw attackers,” he said.

This may explain why Britain’s National Health Service was particularly hit hard Friday, with access to patient records blocked throughout England.

“It is a bit of luck that they have not forgotten how to work with pen and paper,” said Bratus – who wasn’t joking. “If you don’t have a plan of how you will operate without those systems, you are in trouble.”

Bratus said that the increasing use of networked systems does not mean that industries have to be so vulnerable, and pointed to the power grid that sends electricity throughout the nation.

The power grid has been quite resilient. We have not heard of major cyber attacks, despite the news that it is being probed and targeted,” he said.

(David Brooks can be reached at 369-3313 or or on Twitter @GraniteGeek.)

Concord Monitor Office

1 Monitor Drive
Concord,NH 03301


© 2019 Concord Monitor
Terms & Conditions - Privacy Policy