Yesterday a ransomware worm called WannaCry tore through networks across the world, and the news here in Britain led with the NHS: appointments cancelled, screens locked, hospitals diverting ambulances. It spread by exploiting an SMB flaw on Windows, the EternalBlue exploit that surfaced in the leaked NSA toolset last month, and it spread fast because it didn't need anyone to click anything. One unpatched machine reachable on port 445 and the worm did the rest.
The uncomfortable part is that Microsoft had already shipped the patch. MS17-010 went out in March. Two months. The fix existed, sat in Windows Update, and a great many machines never took it, either because nobody was watching them or because they couldn't be patched at all.
And that's the bit I keep turning over, because it's not really a story about a clever worm. It's a story about the machines we forget. Every organisation of any size has them. The box running one critical application that the vendor certified against a specific Windows version and will not support on anything newer. The embedded controller with Windows buried inside it that nobody thinks of as a computer until it's encrypted. The XP machine driving a piece of medical kit that cost more than a house and isn't getting replaced this financial year.
I went and looked at my own network last night, slightly sheepishly, because it's very easy to write smugly about other people's unpatched estates. I found a NAS running firmware a year behind, and an old laptop I'd left on for some forgotten reason that hadn't seen an update since the autumn. Neither was exposed to the internet, which is the only reason I slept, but the point landed. I have a "that one" too. Everyone does.
A few things this week is a good reminder of, none of them clever:
- SMB has no business being reachable from anywhere it doesn't need to be. Block 445 at the perimeter as a matter of course, and segment it internally so a single infection can't reach the whole estate.
- Patching is not a project you finish, it's a thing you do continuously, and the boxes you can't patch are exactly the ones you need to wall off the most.
- An offline backup is the difference between an irritating afternoon and a catastrophe. Ransomware that can reach your backups encrypts them too.
It's tempting to treat WannaCry as someone else's failure, a story about a creaky public-sector estate. It isn't. The exploit was handed out for free, the patch had been available for two months, and it still worked. The only honest response is to go and find your own forgotten box before something else does, and to stop pretending you don't have one.