A massive cyber-extortion attack known as “WannaCry” wrought havoc across the globe last week, taking out much of Britain’s National Health Service and, in a delicious bit of irony, the Russian Interior Ministry.
The attack was a long time coming, representing the inevitable merging of two plagues that have long ravaged the internet: the invention of programs that can rapidly infect digital systems and the rise of internet crime. Without action, WannaCry represents just the first of what will undoubtedly be a long nightmare of self-propagating criminal attacks.
The first internet plague arose in 1988 when a small program, written by computer scientist Robert Morris Jr., escaped. This program, clearly written as an interesting experiment, ran on a single computer and, from there, attempted to contact other computers. Once it found another computer it attempted to exploit the victim using one of several vulnerabilities. When successful, it copied itself over and started running: First two computers ran the program — then four, then eight. Exponential growth caused it to quickly spread to all vulnerable systems on the internet. Combined with a bug that caused it to effectively overload its victims, this acted to effectively shut down the internet of 1988.
This was the inadvertent dawning of the worm, a program that spreads on its own from computer to computer. Since that time we’ve seen many other worms, including Code Red (the first widespread worm in the modern era, infecting 300,000 systems over 13 hours), Slammer (spreading worldwide in 15 minutes and even infecting a nuclear power plant), Blaster (silently infecting hundreds of thousands of Windows computers) and Witty (which took down network security monitors belonging to the U.S. Army).
The second plague crept up on us more subtly in the form of criminals seeking to make money. From spammers hawking Viagra to online bank-robbers seeking to take control over corporate accounts, this plague is organized crime that doesn’t care much about the damage done as long as it makes money. One particularly vile criminal strain involves ransomware: malicious programs that encrypt a victim’s files and demand money to access them.
The ransomware epidemic is fueled by multiple factors, most notably the presence of both online criminal communities enabling specialization and Bitcoin. Criminal communities enable specialization: Somebody good at coding can write a ransomware framework and sell it to someone who’s good at attacking computers. Many of these communities are Russian, as Russia has a long history of sheltering cyber-criminals who don’t attack Russian interests.
WannaCry is simply the merging of these two plagues. Dealing with such worms is a technical problem — one that researchers have and will continue to focus on. But dealing with online criminals is a policy and economic problem.
Perhaps it is time for the United States to actually take meaningful action against Bitcoin. It has no central authority that can say “thou shalt not.” Thus, it is only superior for criminal uses such as drug deals or extortion.
U.S. Bitcoin exchanges can be pressured to not enable ransom payments, and the Treasury Department can exert pressure on foreign Bitcoin exchanges to either comply with U.S. money-laundering laws or be cut off from all international bank transactions. There is also a possibility for a technical solution: clogging the Bitcoin network with spam transactions.
Unless something can be done about the presence of payments through criminal-friendly Bitcoin or other means, we can only expect these two merged plagues — the crimeware worms — to continue to create chaos.
Weaver is a computer security researcher at the International Computer Science Institute in Berkeley, California.