​Windows ransomware: WannaCrypt shows why NSA shouldn't stockpile exploits, says Microsoft

Microsoft's president and chief legal counsel has renewed a call for a digital Geneva convention following Friday's WannaCrypt ransomware attacks.
Written by Liam Tung, Contributing Writer

Microsoft's president and chief legal officer Brad Smith: "This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem."

Image: Microsoft

Microsoft president and chief legal officer Brad Smith has called for "urgent collective action" in response to Friday's WannaCrypt ransomware attack on Windows machines that didn't have Microsoft's March patch for a flaw in the Windows Server Message Block (SMB) protocol.

Governments, in particular intelligence agencies such as the National Security Agency (NSA), need to rethink the practice of stockpiling cyberweapons, Smith said in a blogpost on Sunday detailing how Microsoft, governments, and industry can prevent a repeat of Friday's devastating and widespread WannaCrypt ransomware attack.

While improvements can be made by all groups, as Smith emphasized, the WannaCrypt exploit that caused Friday's chaos was "drawn from the exploits stolen from the National Security Agency". In other words, had the NSA reported the flaw to Microsoft instead of keeping it and eventually leaking it, Friday's attack might not have been so widespread.

The WannaCrypt attacks hit Europe first, crippling around 45 UK hospital groups among others, before being accidentally contained by security researchers at MalwareTech, minimizing the impact on US organizations.

The specific NSA exploit that WannaCrypt adopted as a replicating mechanism was called EternalBlue, which targeted a flaw in Windows SMB and was leaked by the mystery hacker group, Shadow Brokers, in April.

Microsoft fortunately released a patch for the flaw in the MS17-010 bulletin in March, but as Friday's attacks revealed, many organizations don't or can't apply patches within two months, even for critical, highly publicized flaws.

"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," said Smith, comparing the exploit's theft to stolen missiles.

"We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage," he wrote.

"An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today -- nation-state action and organized criminal action."

Smith highlighted Microsoft's decision on Friday to release a patch for unsupported Windows XP, Windows 8, and Windows Server 2003, as evidence of the priority it places on security, alongside updates in Windows Defender and its Advanced Threat Protection service.

And while he reminded users that "there is simply no way for customers to protect themselves against threats unless they update their systems", Smith does concede that some organizations face a "formidable" challenge in applying patches immediately.

Exactly how Microsoft plans to make it easier for organizations to patch their systems without breaking operational equipment remains to be seen. However, Smith said Microsoft is "dedicated to developing further steps to help ensure security updates are applied immediately to all IT environments".

Finally, Smith believes the WannaCrypt attack illustrates why it makes sense governments for to agree to Microsoft's proposal for a 'digital Geneva convention', which would require governments to report vulnerabilities to vendors, rather than stockpile or buy and sell them.

"We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it's needed now. In this sense, the WannaCrypt attack is a wake-up call for all of us. We recognize our responsibility to help answer this call, and Microsoft is committed to doing its part," Smith finished.

According to Reuters, Russian president Vladimir Putin agrees with Microsoft on this issue.

"I believe that the leadership of Microsoft have announced this plainly, that the initial source of the virus is the US intelligence services," Putin said.

"Once they're let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators," he added.

"So this question should be discussed immediately on a serious political level, and a defense needs to be worked out from such phenomena."

Read more on WannaCrypt and ransomware

Editorial standards