Businesses should brace themselves for more attacks with ’ransomware’ - virus programs which freeze computers until a ransom is paid - experts in cyber security and law warned last night. And official advice for computer users to 'be vigilant' may be worse than useless, Dr Steven Murdoch of Information Security Research Group of the Department of Computer Science at University College, London, said.
Murdoch was speaking at a seminar hosted by the university's Institute of Advanced Legal Studies a month after the WannaCry 'cryptoworm' infected computers in over 150 countries, bringing parts of the NHS to a halt. Despite the unprecedented impact, there was no evidence that the WannaCry attackers were particularly sophisticated, Murdoch said. 'The panic did more harm than the actual worm itself,' he said.
Murdoch also questioned the perception that computer users were to blame for the attack because they had failed to upgrade Windows programs. Such a decision was 'understandable', given the inevitable disruption caused by updating well established working software. And the official advice 'Please be vigilant' boiled down to telling people 'Stop doing your job,' he said. The worm was not spread by email attachments, so-called 'phishing', but spread its own way across networks. 'It's no good blaming victims of the crime, especially when there's nothing you can do.'
Dr Julio Hernandez-Castro, of the school of computing at the University of Kent, urged businesses not to panic and pay ransoms, even when confronted with deadline threats to destroy data irrevocably. 'The right, moral position, if you're not going to be dead or put out of business, is not to pay the ransom,' he said. However, he noted that some victims do pay up, seeing the typical $1,000 demand as insignificant. None of the money paid in bitcoin in response to WannaCry has been collected, presumably because the system would allow the beneficiaries to be traced, he said.
The seminar also heard calls for the next government to step up and reform its cyber security efforts. Speakers noted the conflicted roles of state security services, with bodies such as the US National Security Agency, which developed the vulnerability exploited by WannaCry, and Britain's GCHQ being responsible for surveillance as well as security. This gives them an interest in keeping vulnerabilities secret. Murdoch called on the next government to split the National Cyber Security Centre away from GCHQ - and make the bodies responsible to different cabinet ministers.