No one could prevent another ‘WannaCry-style’ attack, says DHS official

The U.S. government may not be able to prevent another global cyberattack like WannaCry, a senior cybersecurity official has said.

Jeanette Manfra, the assistant director for cybersecurity for Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), said onstage at TechCrunch Disrupt SF that the 2017 WannaCry cyberattack, which saw hundreds of thousands of computers around the world infected with ransomware, was uniquely challenging because it spread so quickly.

“I don’t know that we could ever prevent something like that,” said Manfra, referring to another WannaCry-style attack. “We just have something that completely manifests itself as a worm. I think the original perpetrators didn’t expect probably that sort of impact,” she added.

The WannaCry cyberattack was the first major global security incident in years. Hackers believed to be associated with North Korea used a set of highly classified hacking tools that only weeks earlier had been stolen from the National Security Agency and published onlineThe tools allowed anyone who used them to infect with a backdoor thousands of vulnerable computers. That backdoor was used to deliver the WannaCry payload, which locked out users from their own files unless they paid a ransom.

Making matters worse, WannaCry had wormable properties, allowing it to spread across a network and making it difficult to contain.

Although the National Security Agency never publicly acknowledged the theft of its hacking tools, Homeland Security said at the time that users were “the first line of defense” against the threat of WannaCry. Microsoft released security fixes weeks earlier, but many had not installed the patches.

“Updating your patches would have prevented a fair amount of people from from being a victim,” said Manfra. Yet data shows that two years after the attacks, more than a million computers remained vulnerable to the ransomware.

Manfra said “bad things are going to happen,” but that efforts to mobilize government and the private sector can help combat cyberattacks as they emerge.

“Luckily, there was an enterprising individual who was able to find a way to kill it and it didn’t impact the U.S. as much,” she said.

Marcus Hutchins, a malware reverse engineer and security researcher, registered a domain name found in the ransomware’s code which, when registered, acted as a “kill switch,” stopping the ransomware from spreading. Hutchins was hailed as an “accidental hero” for his efforts. Hutchins and his colleague Jamie Hankins spent a week ensuring the kill switch stayed up, helping to prevent millions of further infections.

Manfra’s remarks came just weeks after her department warned of a new, emerging threat posed by BlueKeep, a vulnerability found in Windows 7 and earlier, which experts say has the capacity to trigger another global incident similar to the WannaCry attack. BlueKeep can be exploited to run malicious code — such as malware or ransomware — on an affected system.

Like WannaCry, BlueKeep also has wormable properties, allowing it to spread to other vulnerable computers on the same network.

It’s estimated that a million internet-connected devices are vulnerable to BlueKeep. Security researchers say it is only a matter of time before bad actors develop and use a BlueKeep exploit to carry out a similar WannaCry-style cyberattack.