A variant of the WannaCry ransomware that emerged Monday has been able to infect some of the computers patched after the original malware struck last week, according to a top cyber official at the Department of Homeland Security (DHS).
"We're working on how to address that [variant] and sharing as we can," said the official who asked not to be named. The official did not say how many computers have been affected by the variant, other than to say "some." The original WannaCry attack hit more than 200,000 computers starting Friday in more than 150 countries, UK officials said over the weekend.
DHS worked with FBI and other law enforcement officials through the weekend to identify victims of the attack and to help them recover systems without paying a ransom, primarily by installing Windows patches.
"We're ideal from a U.S. perspective," the DHS official said at mid-day Monday. "In the U.S, we're in a decent place. We don't have many victims and the ones we do have are not experiencing significant operational impacts.... We're very much focused on getting people to patch if they haven't. "
DHS did not name any U.S. organizations affected by WannaCry or its variants, which go by similar names like WannaCryp and WannaCrypt. However, Fedex did acknowledge on Friday that some of its Windows-based systems were hit.
DHS is not focused on identifying the perpetrators, leaving that to the FBI, which wouldn't comment. The attackers used tools first built by the U.S. National Security Agency to counter terrorists, but the tools were stolen by a group called Shadow Brokers that could have ties to the Russian government or could be working separately as a criminal gang. Each computer hit by WannaCry was frozen with a warning to pay $300 in bitcoin to free up the data.
Analysts and cyber officials said the U.S. fared better than other countries because of an active campaign by DHS and others to warn U.S. organizations about ransomware over the last 18 months. That effort arose after ransomware hit several U.S. hospitals.
"We are probably better off than a lot of countries," the DHS official said. "We're so aggressively training about awareness..., which could have had some effect. We've published guidance like the need for basic backup systems. We were pretty aggressively pushing that Microsoft patch in March."
DHS said its guidance for how to avoid ransomware attacks remains the same. "It's fairly basic: Don't click on links and download from people you don't know; update systems and back them up," the official said. "Ransomware was not well understood, but as attacks have become more sophisticated, people have understood over the last year."
WannaCry works differently than many past ransomware attacks because of the way it spreads through networks. After an unknowing worker clicks on a compressed Zip attachment to launch WannaCry, it can spread through a corporate network to infect and lock other computers -- even those where no link or attachment was accessed.
"This particular ransomware was slightly different in the sense that it self-propagates -- it's a worm type," said Anath Balasubramanian, general manager for worldwide healthcare business at Commvault, an established data recovery company with thousands of customers in 66 countries.
"Even at the best-prepared organization, there will still be one or two outlyers that haven't patched with the latest patches or still run older Windows XP, which makes this one very tricky to defend against," Balasubramanian said in an interview.
As for affected systems that need patching, he warned: "You still have to be very savvy when you restore.... You have to restore outside of the network where the attack happened because otherwise you re-infect the computers and and face an eternal cycle of restoring. You have to have a quarantined network to restore to the system."
Balasubramanian said hospitals have historically faced an IT budget crunch and have placed patient services above IT budgets that govern what's spent on security and recovery. "Healthcare IT budgets are under-budgeted, understaffed and under-resourced," he said.
Even so, U.S. hospitals have made IT and security and backup a higher priority than in other countries.
Part of what organizations need to limit ransomware attacks is a "change in mindset and mentality that says IT is a critical asset," he said. "No matter how strong your defenses are, things will always go wrong. Nothing in the world will prevent you from another ransomware attack with a 100% guarantee."