WannaCry Ransomware

WannaCry ransomware appeared in May of 2017, starting with a massive attack on vulnerable SMB services, railways, telcos, universities, the UK's NHS, and so on. The ransomworm strain infected over 300,000 computers in over 150 countries, making the criminals $90,000 which is really not that much compared to the amount of infections. WannaCry was to date the biggest ransomware outbreak in history and really caused the world to take notice of ransomware.

The IT systems of around 40 National Health System hospitals across the UK were affected by this attack. Non-emergency operations had to be suspended and ambulances were diverted as a result of the infection. Cybersecurity experts have long used the phrase "where bits and bytes meet flesh and blood," which signifies a cyberattack in which someone is physically harmed.

A North Korean attack?

A North Korean hacking group is suspected to be behind the worldwide WannaCry attack that caused 1 billion dollars in damage, targeting mainly un-patched Windows 7 machines. Symantec and Kaspersky malware labs are investigating technical evidence that possibly suggests the North’s involvement, claiming they found some code in an earlier version of the WCry ransomware that had also been used in programs deployed by the Lazarus Group, which is reportedly run by the Norks. The below graph from Symantec shows how quickly WannaCry spread:

Number of Symantec detections for WannaCry May 11 to 15

This is spy territory and the best way to approach attribution is to deal in probabilities and intelligence estimates that are never 100%, unless you can hack into the machines of the actual coders behind an attack, which is very unlikely. That said, there's a 70–80% chance that WannaCry originated in North Korea based on forensic evidence we've seen so far.

Short ransomware deadline

The ransom starts at $300 if you pay within 6 hours, then it doubles to $600 for up to 3 days later. The ransomware threatens to delete the files completely If you don't pay within a week, and includes an ominous countdown timer to your files being deleted. Note the social engineering aspect here too: a sense of urgency is created to prompt people into action. A sense of hope is granted by virtue of the ability to decrypt a sample selection of the files.

wannacry-ransom-note-screenshot

Infection vector NOT phishing - this is a powerful ransomworm

Security experts initially thought the infection vector was a mass phishing campaign sending its potential victims fake invoices. However, SophosLabs VP Simon Reed said this looks like a worm from start to finish: "There were no outlook.exe files anywhere, nothing but a compromised Windows SMB driver as the starting point. So far, we haven’t found anything but evidence of a network worm."

So this outbreak was a throwback to those of the early 2000s. But instead of just noise and network downtime, a much more damaging payload of ransomware ground many organizations to a halt.

The infection - an NSA 0-day exploit

WannaCry uses what was originally NSA 0-day ETERNALBLUE and DOUBLEPULSAR exploits which were made public earlier this year by a group calling itself the ShadowBrokers. There are recent patches available but many have not applied them yet.

Edward Snowden pointed the finger at the NSA, implying the agency was responsible for exploiting a weakness in Windows.It is unclear how the ShadowBrokers may have gotten their hands on these NSA tools – conspiracy theories range from a contractor leak to a Russian counter-espionage trying to hint American intelligence should back off.

What you can do if you are infected:

  1. Check your firewall configuration and make sure no criminal network traffic from port TCP/445 is allowed out, and disable SMBv1 on all machines immediately, and if possible, block 445 inbound to all internet-facing Windows systems
  2. From here on out with any ransomware infection, wipe the machine and re-image from bare metal
  3. If you have no Secure Email Gateway (SEG), get one that does URL filtering and make sure it's tuned correctly
  4. Make sure your endpoints are patched religiously, OSand3rd Party Apps
  5. Make sure your endpoints and web-gateway have next-gen, frequently updated (a few hours or shorter) security layers
  6. Identify users that handle sensitive information and enforce some form of higher-trust authentication (like 2FA)
  7. Review your internal security Policies and Procedures, specifically related to financial transactions to prevent CEO Fraud
  8. Make sure you have weapons-grade backups that are frequently tested
  9. Deploy new-school security awareness training, which includes simulated social engineering tests via multiple channels, not just email.

The aftermath

The Register has a good write-up with more in-depth technical details. 

Infected with WannaCry Ransomware? We can help!

Get A Quote

See A Demo

 


« Back To Ransomware Knowledgebase

 


Get the latest about social engineering

Subscribe to CyberheistNews