Posted by Robert Vamosi on May 13, 2017
On Friday, several organizations around the world fell victim to a wave of ransomware that swept the globe. Ransomware is malware that encrypts the hard drives of compromised machines until the owner makes full payment. Such attacks have been persistent but relatively quiet.
Until now, ransomware had been confined to limited or one-off events. A new ransomware known as WannaCry (WanaCrypt0r 2.0/WCry) is changing that by infecting thousands of computers worldwide within a few hours. At this point it’s too early to tell if this will be a new trend, or its own one-off event.
WannaCry appears to use a remote exploit and then downloads the encryption malware separately. Within hours a compromised computer is fully encrypted, preventing user access. To re-gain access, victims must submit payment via Bitcoin. The malware authors are currently asking for $300 in Bitcoin. According to Motherboard, the ransomware announces itself with a display screen: “You only have 3 days to submit the payment. After that the price will be doubled. Also if you don’t pay in 7 days, you won’t be able to recover your files forever.”
Paying by Bitcoin is a foreign concept to most of us. In the New York Times, author Alina Simone writes about her elderly mother’s experience with ransomware and her own discovery of how to pay by Bitcoin using a New York City Bitcoin ATM. Up until now individual stories like hers have been the norm.
With WannaCry, the pain of extortion spread quickly across the world, affecting public-facing institutions such as hospitals across England, for example. According to the Reuters news service, the National Health Services (NHS) facilities had to divert patients requiring emergency treatment away from affected hospitals on Friday. NHS also had to discourage all but the most severe cases seeking treatment. At least 16 NHS facilities were affected.
In Spain, Telefonica, one of the country’s largest telecommunications companies, was hit internally. The company told its employees to shut down their computers and immediately log off VPNs. According to the Spanish publication El Mundo up to 85 percent of the company’s computers were hit in the first few hours. While antimalware programs can target and remove infections such as WannaCry, they can’t restore encrypted files. In most cases, organizations must pay the ransom or restore from backups.
The latest Verizon Data Breach Investigations Report (DBIR) for 2017 cites ransomware as its #1 trend. Usually ransomware targets an industry or a specific set of individuals. Something made WannaCry different. Although this malware was released two weeks ago, it quickly blew up into a global menace.
Within a few hours, WannaCry infected Windows machines in 11 countries, including Russia, Turkey, Germany, Vietnam, and the Philippines, according to MalwareHunterTeam. In this case, WannaCry is acting like the old Microsoft Word-based computer viruses such as ILoveYou and Melissa. In May 2000, ILoveYou spread around the world in fewer than five hours.
(Image source: malwaretech.com)
A real-time map of WannaCry infections on May 12, 2017, at 1 p.m. PST
WannaCry leverages a known vulnerability patched by Microsoft in March 2017. MS17-010 is the SMB server vulnerability exploited by EternalBlue, a tool originally thought to have been created by the NSA. EternalBlue and other tools were leaked to the public by a group known as Shadow Brokers in April. Another malware, DoublePulsar, also leverages EternalBlue, and it too has seen a sharp increase in infection in recent weeks. Individuals and organizations are encouraged to patch their systems with MS17-010 as soon as possible, if they haven’t already.
However, the Microsoft SMB patch only works if you’re one of the millions who have updated your operating system to Windows 7, 8, and 10. The patch is available from Microsoft for Windows Vista SP2, Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2008 SP2, Windows Server 2008 R2 SP1, Windows Server 2012 and 2012 R2, Windows Server 2016, and Server Core. If you’re still running something other than the latest fully supported version of Windows, then you are vulnerable to WannaCry and other vulnerabilities.
Microsoft periodically discontinues support for its older operating systems. That means the machines, unless they are segmented and monitored separately on a network, are vulnerable to newer vulnerabilities such as EternalBlue.
Using data from NetMarketShare from April 2017, roughly 8.35% of the total users are still using older versions of Windows. Even though it’s less than 10 percent, it’s interesting to see how such a small percentage of computers can affect the real world.
A Motherboard investigation found that the UK’s NHS runs thousands of computers that still use the Windows XP operating system. This might account for the ransomware affecting the English hospital system.
The same is true with older industrial control systems. If they are not segmented off the internet, they too could be vulnerable to WannaCry and DoublePulsar. While it’s harder to update embedded systems, networked computers should be updated to the latest and greatest operating system possible. And if the hardware won’t support that, maybe it’s time to upgrade the hardware as well.
As for who’s doing this, the authors of WannaCry are probably running for cover. Ransomware as noted above generally tries to stay out of the public eye so its authors can slip by. With all the attention on this attack, it’s likely that law enforcement will be looking through the current Bitcoin ransom transactions to identify the WannaCry authors. And they might be able to.
In a normal Bitcoin transaction, something called blockchain establishes a traceable history of all interactions a coin may have encountered during its lifetime. Of course, the criminal element has already found ways to launder Bitcoins. Basically randomizing interactions with that of other Bitcoins so that in the end you get the same monetary value, but technically have a different Bitcoin. Even so, such laundering schemes are not 100 percent anonymous. With enough resources and diligence law enforcement could unravel a Bitcoin’s tainted history to reveal, perhaps, the ransomware’s author.
Get the latest AppSec news and trends sent directly to you.