Last Friday, a piece of malware known as WannaCry (WanaCrypt0r 2.0/WCry) infected over 200,000 Windows-based machines in over 150 countries. What made this malware different was that it encrypted the hard drive, withholding the contents until the victim paid $300 Bitcoins. While ransomware itself is not new, the rapid spread of WannaCry caught many people off guard.
Thousands of individuals were affected, including patients of National Health Service hospitals in the U.K. and utilities in Spain and Russia. While parts of the world were heavily hit, the United States was spared, in part because of some quick thinking from a researcher and a $10 domain registration.
On Friday night, an anonymous researcher reported that he had reverse engineered the WannaCry code. The ransomware takes advantage of a Server Message Block (SMB) file-sharing protocol vulnerability in Windows and leverages the EternalBlue exploit to comprise a machine. Like DoublePulsar, a remote execution malware that is also becoming more prevalent these days, WannaCry uses EternalBlue to download the ransomware package and began encrypting the compromised machine’s hard drive. Before it did that, however, the researcher noted that WannaCry reached out to a domain that consisted of a long string of seemingly random digits. That domain did not exist. So, the researcher went and registered it, accidentally discovering the malware’s “kill switch.”
Having a kill switch in the malware code is very curious. It suggests that the author wanted to be able to control it. WannaCry might have been either an experiment, or a proof of concept (POC) for something that was being planned for later. At this point we don’t know.
In March 2017, Microsoft released MS17-010 only for Windows Vista SP2, Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2008 SP2, Windows Server 2008 R2 SP1, Windows Server 2012 and 2012 R2, Windows Server 2016, and Server Core.
On Friday night, Microsoft rushed out a patch for Windows XP, Server 2003, and Windows 8—versions of Windows not previously patched against the SMB vulnerabilities. Many of the computers in the UK hospitals were thought to still be running Windows XP.
By the way, it’s always a good idea to turn off any Windows features that your machine doesn’t use. In Windows 10, for example, SMB is enabled by default. Microsoft has published how to turn off SMBv1 if it is not business critical.
On Saturday, InfoSec researchers were also questioning whether the WannaCry author, realizing that the original code had been stopped, had released a second version without the kill switch. It is unclear whether that is the case, although one research did report stopping a second wave. Antivirus firm Kaspersky, and others, reported on Saturday seeing variations without a kill switch. Other researchers countered, alleging that some of these new derivatives are copy-cats. One version 2.0 candidate, for example, didn’t even bother to encrypt the compromised machines because of code corruption.
Another source of confusion surrounding the second version was the origin of WannaCry itself. A few days earlier, a new ransomware, Jaff, was first reported by Cisco Talos. Jaff, however, spreads via phishing attacks, sending hundreds of emails from compromised machines. WannaCry is a worm that appears to propagate on its own and does not use email to spread. As of Sunday, there is still no technical relationship established between Jaff and WannaCry.
Another thing that makes WannaCry unique is that previous malware outbreaks were not for financial gain. The ransom payment for WannaCry is Bitcoin, and the amount requested is $300 in local currency. In some parts of the world $300 is a lot of money. While victims still have several days to pay or permanently lose access to their data, it appears that after the first 48 hours, many people aren’t paying.
As of Saturday, the amount earned by the authors of WannaCry was $26,000, and by Sunday morning $30,000. As of Sunday night, the amount collected by the bad actors appears to be about $35,000. This is not nearly the millions that some first expected. While there is still time for people to pay up, they only have a few more days to pay before their data is permanently locked up. It appears that people are either walking away from their data or restoring from backups.
Despite the gains, there is some history to suggest we won’t be able to completely stop WannaCry, or that it won’t be easy. Conficker, which was released in November 2008, is still infecting Windows machines worldwide, despite an aggressive public awareness campaign from the Conficker Working Group.
It’s better to not let your Windows boxes fall victim to WannaCry or any other malware. Keep your operating system current. Patch when updates become available. And, turn off any unused features or ports. Good hygiene along with industry best practices can keep your computers and networks up and running.