VEP Makes Me Wanna Cry
Updated: Mar 23
A massive worldwide ransomware outbreak is happening because a secret US government program called VEP failed.
You’ve heard about the WannaCry ransomware that encrypts your files makes you pay a Bitcoin ransom to get them back. It began spreading like wildfire recently, closing British hospitals, Russian government offices, etc. At the end of this post, I’ll tell you what to do if it hits you.
Ransomware has been growing for years. What made WannaCry newsworthy, besides the sheer number of PCs infected, was that it exploited a serious Windows security bug the US intelligence community knew about for years but kept secret. They didn’t tell Microsoft or anyone else. They didn’t want the bug fixed because it’s so useful for spying on our adversaries.
A hacker group called Shadow Brokers stole NSA classified files and leaked them on the Internet. Among the files was code for exploiting the Windows bug. After the code was leaked, other hacker groups began exploiting the bug for their own purposes. In this case, it seems a group called Lazarus used it to develop WannaCry, leading to the biggest ransomware outbreak in history. The same North Korean group is behind breaches of the international SWIFT payment network that have cost banks worldwide tens of millions of dollars.
The NSA’s own hacking tool that exploited the Windows bug, code named Eternal Blue, is quite powerful, blasting past antivirus and firewalls to silently steal files on a victim’s PC. “It was like fishing with dynamite,” one NSA employee told reporters. The intelligence community understandably didn’t want to give up one of the most powerful tools in its arsenal.
Some within NSA did worry about Eternal Blue falling into the wrong hands. “If one of our targets discovered we were using this particular exploit and turned it against the United States, the entire Department of Defense would be vulnerable,” an NSA employee predicted.
The intelligence community developed a Vulnerabilities Equities Process (VEP) they said would ensure each bug is reported to the fullest extent possible without damaging national security. The VEP policy was developed in 2010 but the public never saw it, until the Electronic Frontier Foundation managed to obtain and publish a redacted copy through Freedom of Information Act last year.
There was a public outcry after the 2014 Heartbleed attacks exploited an OpenSSL bug already known to US intelligence agencies. President Obama’s cyber czar Mike Daniel publicly vowed to “reinvigorate” VEP, promising when NSA kept bugs secret for national security reasons, it would only do so temporarily, carefully weighing the risks it could pose in the hands of enemies.
But two years later, the redacted VEP policy reveals a weak process riddled with loopholes. A secret interagency group known as the Equities Review Board (ERB) decides whether to share vulnerabilities or keep them secret. The VEP process allows a single ERB member to appeal a majority decision to Someone (name redacted) for potential override. The ERB members and this “Someone” appear to wield considerable power without much oversight.
Even worse, VEP grandfathers all vulnerabilities discovered before VEP was implemented, giving intelligence agencies the option to withhold them or “voluntarily submit” them to ERB. The Eternal Blue Windows bug exploited by WannaCry, which dates back to Windows XP circa 2001, was almost certainly known to NSA years before VEP, and so was exempt from review.
VEP is almost universally disliked by experts across the political spectrum. Microsoft president Brad Smith wrote that WannaCry proves “stockpiling of vulnerabilities by governments is a problem”. Microsoft proposed a 6-point Digital Geneva Convention requiring governments to “report vulnerabilities to vendors rather than to stockpile, sell, or exploit them.” At the other end of the policy spectrum, even security hawks who advocate against disclosing software bugs don’t like VEP either.
While VEP is deeply flawed, it's arguably better than nothing. Because it was implemented by Obama administrative order, there is now a danger the Trump administration will dismantle it. We need a US law requiring US intelligence agencies to follow a VEP-like process for software security bugs.
Because it lacks force of law, VEP “has no penalties for individuals to hold back information,” Council on Foreign Relations fellow Rob Knake pointed out months before the WannaCry outbreak. “We need to substantiate VEP into law.”
A bipartisan group of US Congressmen and Senators has done exactly that, proposing a bill called the Protecting our Ability to Counter Hacking (PATCH) Act. The PATCH Act would codify VEP into law and bring oversight to the ERB, while striking a balance between consumer safety and intelligence gathering. One of the bill’s authors, Sen. Brian Schatz claims it “will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.”
A law like the PATCH Act can make VEP public and transparent, subject to Congressional oversight, and protected from whims of future presidents who may not like it. It also represents an opportunity to improve the current VEP process and close its loopholes.
Okay, as promised, here are some tips to protect yourself from ransomware like WannaCry.
First, do all the obvious things to protect your data:
Backup important files or sync them to a cloud service that offers prior version recovery.
If you use external media for backups (e.g., flash drive) disconnect from the computer when not in use. Ransomware will encrypt every file it can reach, including backup copies.
Windows 7/8/10 users, make sure you installed all security patches from Microsoft since March. Verify your antivirus is working and has the most current malware definitions*.
Windows XP users, upgrade immediately! Microsoft doesn’t fix your bugs anymore. Your XP machine is a neon bulls eye. If it can’t run Windows 10, junk it.
Mac users, don’t feel too smug. WannaCry doesn’t affect you, but plenty of other ransomware does. You have to apply updates and run antivirus just like the rest of us.
If you become a ransomware victim despite taking precautions, don’t panic. Here’s what you need to do:
Do not reboot the PC. Rebooting reduces success rate of decrypting files on step 3.
Attempt to recover affected files from backups or cloud provider.
If you still have unrecovered files after steps above, try to decrypt them yourself. Some ransomware has bugs that security researchers exploit to create recovery tools. Free tools are already emerging to recover WannaCry files.
For something other than WannaCry, determine the name of the ransomware that infected you, then Google for possible solutions, or check the web sites below:
If you still have unrecovered files after the steps above, you face a difficult choice. The FBI discourages ransom payment, but many people pay when the files are vital and they have no other options. Be aware that payment may increase likelihood of future attacks.
Report your ransomware incident to the FBI Internet Crime Complaint Center
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.
UPDATE 11/15/2017: The Trump administration today released a declassified, unredacted version of the VEP process here. Although this is a welcome development, this version of VEP appears to have the same problems as discussed above. The single individual able to veto board decisions is revealed to be an NSA appointee. Vulnerabilities that predate February 2010 are still grandfathered, thus not subject to VEP.
UPDATE 9/6/2018: The US government formally charged a North Korean citizen linked to his country's intelligence service with helping develop the WannaCry malware, as well as participating in cyber attack targeting Bank of Bangladesh and Sony Pictures. The individual is wanted by the FBI. Sanctions will be placed on him and the dummy company he works for.
*Note: There is some debate about effectiveness of conventional signature-based antivirus tools against WannaCry. The US CERT alert on WannaCry (TA17-132A) states it is “not vulnerable to antivirus software scans” because the DLL file it plants is encrypted with a semi-random key. However, based on my conversations with security vendors, it does appear at least one AV tool (Symantec Endpoint Protection version 14 with Intelligent Threat Cloud feature enabled) is able to detect and block current known WannaCry variants. Taproot Security has not verified this and does not endorse commercial products. But if that AV tool works, others probably do as well. Independent security researchers like Taproot will continue to evaluate malware and test solutions. Symantec security researchers wrote about WannaCry on the company blog.