If there was a person in the world who didn’t know what ransomware was, they probably do now. On Friday the 12th of May 2017, what was initially dismissed as an issue on NHS (National Health Service) England’s IT system quickly developed into a global incident involving computers, laptops and servers in 150 (and still counting) countries.
The culprit is a strain of ransomware known as WannaCry or WCRY, which in typical ransomware fashion encrypts files using both AES and RSA encryption ciphers, then removing the ability to restore locally by deleting restore points such as the system repair tool. Subsequently a message box known as the WannaCry Decryptor is displayed on-screen demanding the user pay $300 in bitcoin to a displayed bitcoin wallet in exchange for the decryption key.
So far this variant sounds not dissimilar to thousands of other types ransomware in the wild. Yet, there is one terrifying difference which sets WannaCry apart from its perceived peers, by leveraging a Microsoft Windows operating system vulnerability known as EternalBlue, it was able to spread to wider than witnessed before.
WannaCry & EternalBlue: A Match Made in Ransom
The ironic origins of EternalBlue begin on the 15th of April 2017 when a hacking collective known as the Shadow Brokers, after unsuccessfully looking for a buyer since August 2016, publicly released a haul of stolen NSA files. This treasure chest of goodies included details of electronic spying tools, software and exploits used by the American security agency (and allegedly GCHQ). Some may remember reports of the NSA having an exploit which could turn Samsung TVs with voice command functions into listening devices. More pertinent to this blog however, is the EternalBlue Microsoft Windows exploit which could move files undetected between endpoints in a local network using SMBv1 on all Windows platforms from Server 2003 and XP through to Server 2016 and 10.
Microsoft, made aware of EternalBlue prior to the release by the Shadow Brokers, had released a patch on the 14th of March 2017. However, through a combination of slow patch management and using unsupported versions of the Microsoft Windows operating system such as Windows XP, WannaCry was able to use EternalBlue to demonstrable devastating effect. Both problems I am sure are recognisable to all readers.
At time of writing the WannaCry ransomware attack has had the following affects:
- - 61 NHS England organisations disrupted.
- - Car manufacturer Renault had stopped production for a period of time.
- - Telefonica’s Madrid HQ stopped their users accessing their endpoints until the situation was assessed.
- - Logistics giant FedEx was unable to function at normal effectiveness.
- - Russia’s government agencies were reported to be hardest hit with over 1000 endpoints affected.
- - Choice hotels in Scandinavia were reported to be affected.
- - Police computer systems in some Indian states had been affected
Such has been the magnitude of this attack that on May 13th, Microsoft released an emergency patch for those operating systems which it no longer supports, including Windows XP and Server 2003, in an attempt to halt the spread.
The Accidental Hero
In addition, an accidental hero appears to have thwarted further use of the attack. A 22-year old cyber security expert, known as MalwareTech, who was investigating the attack noticed that after encrypting files, the ransomware would attempt to communicate with an obscure and unpurchased domain. Possibly as a deliberate kill-switch, the creators of WannaCry created the ransomware to lookup this domain and if a reply is returned then it would stop spreading. Seizing the opportunity, MalwareTech purchased the domain for $10.69 and thus stopped the attack. Better value than $300 in bitcoin.
Relative disaster has been averted and the prophesy of cybercrime causing a significant loss-of-life event has yet to be fulfilled. Could this be the serendipitous signal to the world, board rooms and leaders that more needs to be done to avert worse?. WannaCry was clever but not unpreventable. Ransomware has been an increasing annoyance to the IT security community for years but never on this scale. Generally ignored or paid off, ransomware has before now struggled to get the level of attention afforded to WannaCry.
Now that it has shown its teeth, it’s time for the world to wake up and focus on prevention and response. We live in an electronic world and priorities need to reflect that before WannaCry v2 rears its head.