On May 12, 2017, a new ransomware strain, deemed “WannaCry” (WannaCrypt), was found by Malwarebytes (an anti-malware software company). Programmed to run in 27 languages, the ransomware’s first major infection, which grabbed all our attention, was when it hit the National Health Service of Britain (NHS). British authorities said that about 20% of Britain’s public health trusts were affected in the attack. As reported by the New York Times, 200,000 computers across over 150 countries were effected in the attack. Affected computers contained a message that read “Oops, your files have been encrypted.” Along with this message was a demand for $300 in the anonymous, digital currency Bitcoin.
So, who else was affected in the WannaCry ransomware attack? According to Kaspersky Lab, Russia got the worst hit, followed by Ukraine, India, and Taiwan. The Russian Interior Ministry had 1,000 computers hit, FedEx was hit, Deutsche Bahn- the German transportation company, Telefonica- a Spanish telecommunications firm, and Renault- the French car company, and several computers used to mine Bitcoin in China were all among the many companies and systems affected by this ransomware.
So, how did this happen?
Drawn from the exploits stolen from the NSA (National Security Agency), and dumped by the Shadow Brokers, the hackers utilized a Windows zero-days vulnerability entitled Eternalblue. Eternalblue exploits a remote code-execution bug in the latest version of Windows 2008 R2 using the server message block and NetBT protocols. WannaCry uses the MS17-010 exploit to spread to other machines through NetBIOS, per McAfee. With the ability to generate lists of internal IPs and random IPs, WannaCry can spread beyond a given network to across the internet, if respective sites allow NetBOIS packets from outside networks, also per McAfee. As some samples were found in the wild, they are capable of infecting and spreading. Once WannaCry infects a machine, it also tries to infect any network which shares mounted as local disks.
The most devastating thing about this malware is that it theoretically could have been stopped before it started if worldwide Windows users had used a patch that Microsoft had released in response to the discovery of the zero-day vulnerability. After the vulnerability had been found, Microsoft took their time creating the patch, but did eventually release it months before the WannaCry ransomware outbreak. Since the attack, Microsoft has released another patch for affected users. NPR’s Rob Schmitz reported from Shanghai that Microsoft users in China cannot access the patch as “many Chinese computers run on pirated Microsoft operating systems,” though Chinese security companies offered their help.
Where do we go from here?
A U.K. based security expert has been deemed an “accidental hero” for registering the domain which the malware queried. Here is their account from MalwareTech.com:
“Although ransomware on a public sector system isn’t even newsworthy, systems being hit simultaneously across the country is (contrary to popular belief, most NHS employees don’t open phishing emails which suggested that something to be this widespread it would have to be propagated using another method). I was quickly able to get a sample of the malware with the help of Kafeine, a good friend, and fellow researcher. Upon running the sample in my analysis environment I instantly noticed it queried an unregistered domain, which I promptly registered.”
After extended research and communication, MalwareTech learned that simply registering the domain had disabled the WannaCry ransomware from further spreading:
“Now you probably can’t picture a grown man jumping around with the excitement of having just been ransomwared, but this was me. The failure of the ransomware to run the first time and then the subsequent success on the second mean that we had in fact prevented the spread of the ransomware and prevented it ransoming any new computer since the registration of the domain (I initially kept quiet about this while i reverse engineered the code myself to triple check this was the case, but by now Darien’s tweet had gotten a lot of traction).”
I highly recommend reading MalwareTech’s account of stopping the WannaCry epidemic.
Other security researchers and experts are following MalwareTech’s lead in registering new domains for the malware’s variants. Chris Doman of Alien Vault said, “The cat-and-mouse will likely continue until [someone] makes a larger change to the malware, removing the kill-switch functionality completely. At that point, it will be harder to stop new variants.”
As stated above, to ensure WannaCry and other malwares taking advantage of the Window’s zero-day vulnerability, make sure you get the patch from Microsoft. Then, follow these 6 steps outlined by No More Ransom, as reported by NPR:
- “Back up your computer and store the safety version in the cloud or on a drive that is not connected to your computer.
- Use robust antivirus software.
- Keep all the software on your computer up-to-date. Enable automatic updates.
- Never open attachments in emails from someone you don’t know. And remember that any account can be compromised.
- Enable the “Show file extensions” option in the Windows settings on your computer. This will make it much easier to spot potentially malicious files. Stay away from file extensions like “.exe,” “.vbs” and “.scr.”
- If you find a problem, disconnect your machine immediately from the Internet or other network connections (such as home Wi-Fi).”
Looking to expand your information security and privacy knowledge? Wanting to better understand how to defend yourself against malicious attacks? Considering starting a career in cyber security? Look no further! Start your education and training today!
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting edge cyber security training. Our training provides the most in-demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cyber security education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand, LMS platform has white-label capabilities ideal for internal training purposes.