NSA shares blame with criminals for massive ransomware attack

by Steve Blum • , , , ,

Cybercriminals successfully penetrated more than 200,000 computer systems in 150 countries in a continuing attack that began late last week. The initial assault was unwittingly blocked by a security blogger who triggered an off switch while trying to figure out what was going on. But that didn’t help systems that were already infected – it will can still spread from computer to computer within a network – and a new version, without the kill switch, is reported to be already out and running wild.

The ransomware encrypts data on infected networks, and demands a bitcoin payment of $300 to free it up.

It did not have to happen. The ransomware exploited a flaw in Microsoft’s Windows operating system that was 1. known to the U.S. National Security Agency and 2. leaked into the public domain earlier this year. It gives the lie to the claims of the NSA, FBI and other national security and law enforcement agencies that they can be trusted to safeguard and wisely use software and encryption backdoors, as the Washington Post’s Brian Fung explains

The NSA leak in April showed that even those vulnerabilities thought to be under control by responsible state actors can find themselves on the black market. The story of Wanna Decryptor, ultimately, is the story of nearly all weapons technology: Eventually, it will get out. And it will fall into the wrong hands.

“These attacks show that we can no longer say that vulnerabilities will only be used by the ‘good guys,’ ” said Simon Crosby, the co-founder of Bromium, a California-based computer security firm. Crosby likened the unauthorized leak of the NSA’s hacking tools to “giving nuclear weapons to common criminals.”

The NSA’s conduct was irresponsible. When it discovered the Windows exploit, it should have notified Microsoft so that the vulnerability could be fixed immediately. Instead, it kept a backdoor open to millions upon millions of computers and networks, that would have eventually been found and used by criminals, even if it hadn’t managed its own security so incompetently.