Posted by Robert Vamosi on May 16, 2017
With a technical story like WannaCry, there are bound to be some falsehoods spread as fact. As with any misconception, there is often a kernel of truth. More often though, the answer is more complicated than it first seems.
Here are a few important falsehoods that have been circulating in the last 48 hours:
False. WannaCry is a ransomware worm that spreads via port 445, looking for Server Message Block (SMB) vulnerabilities in systems running Microsoft Windows and have not yet been patched or disabled. There is no link between WannaCry and current phishing campaigns.
Any “advice” given against clicking email attachments may be the result of confusion with Jaff, another ransomware that uses phishing campaigns to spread. Jaff was first reported by Cisco Talos last Thursday, a day before the WannaCry outbreak. A computer virus requires human interaction to spread. A worm, like WannaCry, can spread on its own.
False. When Microsoft ended support for Windows XP, it ended free support for that operating system. For organizations that continue to run Windows XP, Microsoft offers a paid support program. So, when Microsoft announced on Friday it had a patch for the previously unpatched versions of Windows that WannaCry targeted, it wasn’t something they worked all night to deliver.
Evidence within the patch itself shows it was produced in February, along with other patches for EternalBlue that were included in the free Patch Tuesday release in March. There is also a major downside to rushing out a patch for discontinued software products. In doing so, there is then an expectation that the next time there’s a major malware release the same thing will happen.
There is no guarantee that Microsoft will make public any additional patches for Windows XP or any other discontinued versions of Windows. If you haven’t upgraded to a fully-supported version of Windows, now might be your opportunity to do so.
False. WannaCry uses pre-existing, allegedly NSA-created exploits EternalBlue and DoublePulsar. The latter is a remote execution malware, that is also increasing in prevalence, to compromise a vulnerable computer system. However, researchers remain unimpressed with the ransomware code itself, calling it standard, even low-end compared with more sophisticated ransomware such as Locky. Researcher Nicholas Weaver has a theory that WannaCry was still beta when it got out. Additionally, the fact it was so sloppy might make it easier to identify who is responsible for it.
False. The worm in the wild now is technically version 2.0. Version 1.0 was seen as early as February 2017. Several antivirus companies have since seen interim versions based on that version. These were not widely released. Version 2.0 is an enhancement of that February code. Whether or not there’s a kill switch doesn’t change the underlying code structure. What we’re seeing in the wild today is basically all version 2.0 code.
False. Only one researcher has commented publicly regarding personal harassment based on WannaCry. MalwareTechBlog (the researcher’s nickname on Twitter), who discovered the kill switch domain last Friday night, identified in tweets on Monday that the British media has become a source of his stress. Most in the press simply want to interview him, and some have. MalwareTechBlog told Forbes, “I don’t want fame.” Despite the pressure to doxx MalwareTechBlog, the researcher worked alongside others throughout the weekend to prevent the spread of WannaCry.
Now that we’ve set the record straight on these common WannaCry misconceptions, it’s time to get proactive about your organization’s software security initiative and hopefully get ahead of the next widespread breach.