KPBS-FM Radio (NPR)
Interview with Darin Andersen
Host: Maureen Cavanaugh
Topic: Impact and aftermath of global WannaCry Ransomware attacks
Organizations across the country have been bracing for an expected wave of “hacker attacks” this morning, after a so-called “ransomware attack” disrupted businesses on Friday. But the software attacks seem concentrated on Asia today, perhaps because businesses closed earlier on Friday due to the time difference. The U.S. has not seen much of this current attack, which is transmitted by email and locks users out of their computers and threatens to destroy the data if a ransom isn’t paid.
Joining me today is Darin Andersen of CyberTECH in San Diego. Darin, welcome.
Andersen: Nice to be here again.
Q: This ransomware is called WannaCry. Do we know where it originated and who is responsible?
A: This has been a tricky one, in terms of what we call “attribution,” that is, determining where the source of the hack came from. We’re not sure. There are certain investigation paths that are now open – Russia, China. This one might also have some connections to the U.S., Canada and Brazil.
Q: Russia’s Vladamir Putin and Microsoft’s Brad Smith both have pointed to the NSA, the National Security Agency, as the origination of this particular ransomware.
A: Yes, this ransomware definitely has some aspects included in some of the so-called “kits” produced by the NSA. Clearly, we can see in the attacks that some of the tools were used as part of the overall attack.
Q: How serious hass this attack been?
A: Well, what’s serious about this one is that it’s global in nature and ransomware is an insidious type of malware that locks up your computer by encrypting data contained on that computer. And usually, the hacker asks for some form of ransom, usually in the form of bitcoin. And what’s tricky about this one is that it’s very broad-cased – about 250,000 computers worldwide that we know about, across multiple countries. And I suspect that the computer numbers will come in much higher.
Q: If indeed, the National Security Agency developed this kind of malware, how did anyone else get their hands on it?
A: Well, just a few weeks ago, there is a big release of NSA hacking kits by WikiLeaks. That’s the connection that some people are suggesting – that tools released in that WikiLeaks leak led to some of the tools used in this attack.
Q: Now, many companies, especially in Europe, were bracing for a second wave. Why do you think that hasn’t really happened?
A: It could be because the adversaries are doing a “proof of concept” review, a common tactic just like in almost any other business enterprise, kind of trying out “version one.” They may be trying to figure out: Can they actually attack globally? What systems were affected? Clearly, the perpetrators in this case were pretty good at obfuscating their attribution. We have some clues. I think we will find out where this came from. But right now, things are a bit up in the air.
Q: Why do you think the U.S. hasn’t been affected so much by all this?
A: We’re getting better at detecting and fending off ransomware attacks. Smaller and mid-sized businesses are the ones that find themselves most susceptible to these kind of attacks. Or, I should say, most larger companies have gotten better. The thing is, you don’t necessarily hear about who’s been impacted. Because if someone is going to pay a ransom, they may not want to let that be known.
Q: Apparently, a software patch against the malware was issued by Microsoft. The question that computer experts are asking is: Why hasn’t that been installed by more users?
A: Well, it’s always a question of what I call, “malware and security hygiene.” And companies just get behind in those release cycles and leave their computers unpatched and therefore, leave their computers vulnerable.
Q: Do you know of some companies that have paid ransom?
A: Yes, there were reports of some hospitals and universities in town that actually had paid. But I would say that certainly Fortune 500 companies, many mid-sized companies across America are actually finding it easier to pay the ransom. Which, by the way, could be as little as $20,000 to $30,000. The attackers know where that right request price is. And a lot of times it’s much easier just to pay that cost, than to bear the burden of losing all your data.
Q: When you say organizations “in town,” do you mean here in San Diego?
A: Yes, I was referring to San Diego. But we work on a national basis, and we’re definitely seeing similar attacks across the country and throughout the world. And I tell you that companies are definitely paying to make them go away.
Q: Besides making sure that you’re updating your software, what other precautions can you take, just in case this WannaCry ransomware shows up here?
A: You want to make sure your computers are patched and updated. That your employers are fully trained – because what’s happening in many cases, what’s starting these attacks is some type of phishing. So keep your eyes open. Look for small differences in your emails, like if you’re getting a request that “I must have something now.” Take that extra minute to check it out. Call the person that the email pretends to be from. Make sure things are copasetic.
Q: I’ve been speaking with Darin Andersen of CyberTECH in San Diego. Darin, thanks a lot.
A: Great to be here again.