The massive ransomware attack that began last week and hit computers around the world should send a "wake-up call" to governments that have kept vulnerabilities secret to exploit them, Microsoft President and Chief Legal Officer Brad Smith said yesterday in a blog post.
The WannaCry or WannaCrypt ransomware attack deployed a Windows exploit that the National Security Agency had used for its own purposes until it was leaked in April by the hacking group Shadow Brokers. By that time, Microsoft had discovered the bug on its own and issued a security update, but many users with older versions of Windows no longer receive such updates.
As a result, numerous organizations such as the U.K.'s National Health Service have found themselves unable to access vital data because their files were encrypted by the cyberattack, which demanded ransom payments in the Bitcoin digital currency to unlock information.
More than 200,000 victims in at least 150 countries have been hit so far by the ransomware, which has netted the party responsible at least $49,000 in Bitcoin payments, according to recent news reports. Some of the victims have reportedly regained access to their files after paying, although security experts advise against complying with ransom demands.
'Consider the Damage'
Calling for a "Digital Geneva Convention," Microsoft's Smith said the widespread damage caused by the ransomware shows that governments need to treat cyber weapons the same way they treat conventional weapons.
"The governments of the world should treat this attack as a wake-up call," Smith said. "They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."
Former NSA contractor and whistleblower Edward Snowden echoed that criticism on Twitter. ".@NSAGov's choices risked permitting low-skill criminals launch government-scale attacks, and then it happened," Snowden tweeted on Saturday. "There's no waving that away."
"The massive malware attack that hit multiple countries has caused chaos and has shut down vital institutions such as hospitals," U.S. Representative Ted Lieu (D-CA) said Friday in a statement. "It is deeply disturbing the National Security Agency likely wrote the original malware."
Lieu, who noted on his Web site that he is "one of only four computer science majors serving in Congress," supports changing the vulnerabilities equities process (VEP) to ensure greater transparency in how the federal government notifies software companies about bugs it identifies. The VEP was established to determine whether the government should withhold or disclose information about computer software security vulnerabilities.
Cybersecurity 'A Shared Responsibility'
A U.K.-based security researcher who goes by the name MalwareTech put a stop to the spread of WannaCry on Friday by registering a domain name he discovered in the ransomware's code. Activating the domain worked as a kill switch for the malware.
As MalwareTech noted in a blog post afterward, the ransomware was written to connect to an unregistered domain and "if the connection is not successful it ransoms the system, if it is successful the malware exits."
Because it's possible for the perpetrators to alter the code to use a different domain, MalwareTech and others warned the ransomware could continue spreading. However, as of this morning, there haven't been any signs of widespread renewed activity.
Europol's European Cybercrime Centre said that anyone hit by ransomware should use the unlocking tools provided at NoMoreRansom.org, a free resource developed by Europol in partnership with the Dutch police and other industry partners.
Microsoft, which on Friday took the unusual step of issuing a custom security update for users whose systems no longer receive regular support, has urged users with older versions of Windows to patch the vulnerability as soon as possible.
"[T]his attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers," Smith said in his blog post. "The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems."