News

Microsoft Points Finger at NSA in Ransomware Outbreak

• By Chris Paoli
• May 16, 2017

In its postmortem of last Friday's wide-ranging ransomware attack that targeted Windows systems, Microsoft put part of the blame on the U.S. National Security Agency (NSA).

The ransomware, identified as a malicious program called "WannaCrypt," demanded Bitcoin payments to unlock infected systems. WannaCrypt was part of a stockpile of exploits stolen from the NSA earlier this year.

In a blog post on Sunday, Brad Smith, president and chief legal officer at Microsoft, noted that as cyberattacks have grown in sophistication, the government practice of hoarding malicious tools has done more harm than good.

"We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world," wrote Smith. "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today -- nation-state action and organized criminal action."

While the NSA has not commented on either the WannaCrypt attack or Microsoft's response, Tom Bossert, President Trump's Homeland Security adviser, said at Monday's daily White House press briefing that the infection rate has been relatively low in the United States compared to other countries, and that no federal systems have been compromised.

However, Bossert warned that following the patching advice from Microsoft and the FBI should be a top priority to stop the spread of ransomware, which has hit a number of large-profile companies, including FedEx.

"While it would be satisfying to hold accountable those responsible for this hack -- something that we are working on quite seriously -- the worm is in the wild, so to speak, at this point, and patching is the most important message as a result," said Bossert. "Despite appearing to be criminal activity intended to raise money, it appears that less than $70,000 has been paid in ransoms and we are not aware of payments that have led to any data recovery."

Microsoft released security patches for the ransomware on Friday. Security Update KB401258 protects vulnerable Windows and Windows Server editions, including Windows 8, Vista, XP and Windows Server 2003 and 2008. Until Friday, Microsoft had not released a security update for Windows XP in over three years.

Those running Windows 10, 8.1, 7, Vista SP2 or Windows Server 2008 SP2 or later are already protected from the ransomware, which had infected many systems worldwide.

"We are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003," wrote Phillip Misner security group manager at the Microsoft Security Response Center (MSRM), in a blog post.