In May of 2017, the ransomware worm WannaCry spread quickly across a number of computer networks. After infecting a Windows machine, the ransomware encrypts files on the hard drive, rendering them inaccessible to users, and then demands a bitcoin ransom payment to decrypt them.
WannaCry’s initial spread was notable for a number of reasons: it hit a number of important and high-profile systems, including many in the United Kingdom’s National Health Service; it exploited a Windows vulnerability thought to have been discovered first by the US National Security Agency; and it was tentatively linked to WannaCry by Symantec and other security researchers.
What is WannaCry ransomware and how does it work?
The WannaCry ransomware is made up of several parts. It comes in the form of a dropper, a self-contained programme that removes the other application components embedded within itself on the infected computer. These are some of the elements:
- A programme that encrypts and decrypts information.
- Encryption keys are stored in files.
The programme code is not obfuscated, making it reasonably easy to decipher for security experts. WannaCry begins by attempting to reach a hard-coded URL (the so-called death switch); if it fails, it searches for and encrypts files in a variety of critical formats, including Microsoft Office files, MP3s, and MKVs, rendering them unavailable to the user. The ransom note then appears, asking $300 in Bitcoin to decrypt the data.
WannaCry infects computers in a variety of ways.
WannaCry’s assault vector is more intriguing than the virus itself. WannaCry takes advantage of a flaw in Windows’ implementation of the Server Message Block (SMB) protocol. The SMB protocol allows different nodes on a network to connect, and specially crafted messages could mislead Microsoft’s implementation into running arbitrary code.
The US National Security Agency is thought to have found the hole and built code to exploit it, dubbed EternalBlue, rather than revealing it to the information security community. On April 8, 2017, a hacking outfit known as the Shadow Brokers stole this bug and distributed it disguised in a presumably political Medium article. The weakness had been found by Microsoft a month previously, and a fix had been provided, but many systems remained susceptible, and WannaCry, which utilised EternalBlue to infect PCs, began spreading fast on May 12. Following the spread, Microsoft chastised the US government for not disclosing its knowledge of the flaw sooner.
Even if a computer has been infected, WannaCry will not immediately begin encrypting files. That’s because, as previously said, it tries to access a very long, nonsense URL before getting down to business. WannaCry shuts down if it can access that domain. It’s not quite apparent what this functionality’s purpose is. According to some experts, this was meant to be a way for the malware’s designers to stop the attack. Marcus Hutchins, the British security researcher who found WannaCry was trying to visit this URL, believes it was done to make code analysis more difficult. Many researchers will run malware in a “sandbox” environment, in which any URL or IP address will appear reachable; WannaCry’s creators hoped that by hard-coding an attempt to contact a fictitious URL that wasn’t expected to exist, the malware wouldn’t be put through its paces for researchers to see.
Hutchins not only uncovered the hard-coded URL, but also paid $10.96 to register the domain and set up a website there, helping to slow, but not stop, the malware’s spread. Hutchins was arrested in 2014 for allegedly inventing new malware, shortly after being lauded as a hero for this. He has stated that he is innocent.
WannaCry has been patched.
Surprisingly, the patch needed to stop WannaCry infections was already available before the attack: On March 14, 2017, Microsoft Security Bulletin MS17-010 was released, which modified Windows’ implementation of the SMB protocol to avoid EternalBlue infection. Despite Microsoft’s designation of the patch as critical, many systems remained unpatched as of May 2017, when WannaCry began its fast spread.
There is nothing that can be done for infected unpatched computers other than restoring files from a secure backup, so use this as a lesson to always back up your files. While individuals monitoring the bitcoin wallets linked to the extortion message claim that some users are paying the ransom, there’s little proof that they’re getting their files back.
WannaCry and Windows 10 are a match made in heaven.
As previously stated, Microsoft published a patch for the SMB vulnerability used by WannaCry two months before to the assault. While unpatched Windows 10 systems were susceptible, the operating system’s automatic update function ensured that practically all Windows 10 PCs were secured by May 2017.
The Microsoft SMB fix was initially only available for Windows versions that were currently supported, excluding Windows XP. Microsoft eventually made the SMB patch available for older versions of the OS as well, as there are still millions of internet-connected Windows XP systems out there — including at the UK’s National Health Service, where many WannaCry attacks were reported — and the SMB patch was eventually made available for older versions of the OS as well. However, a later investigation discovered that the great majority of WannaCry attacks occurred on devices running Windows 7, which Microsoft continues to support.
The Lazarus Group has been fingered by Symantec.
After the initial confusion subsided, a number of security researchers began investigating WannaCry’s origins. Symantec took a bold stance, claiming that the code could have originated in North Korea. In a blog post, they lay out the facts, including a little-known fact: WannaCry had been circulating for months before it erupted across the internet on May 12, 2017. Ransomware was a previous version of the ransomware. Wannacry used stolen credentials to launch targeted assaults, and there were “significant commonalities in the attackers’ tools, strategies, and infrastructure” between this version of WannaCry and the Lazarus Group’s.
The Lazarus Group, on the other hand, is a hacking collective linked to North Korea. They began their campaign in 2009 with basic DDoS attacks on South Korean government servers, and have since grown more sophisticated, hacking Sony and committing bank robberies.
On the other hand, because malware code is freely copied by many entities, it’s impossible to determine for sure whether the original wave of WannaCry assaults or the later EternalBlue-driven explosion were ordered by North Korea without an official claim of responsibility.
WannaCry is still active, although it is causing less sobs.
Despite all of the attention, as well as updates and recommended practises to help prevent it, WannaCry continues to infect computers. Boeing was the target of a suspected WannaCry assault in March 2018. However, the corporation said that it caused only minor damage, impacting only a few production equipment. Boeing was able to halt the attack and quickly restore the impacted systems.
Boeing was able to recover so quickly because updates for the vulnerabilities exploited by WannaCry were widely accessible. The fact that they weren’t in place prior to the attack explains why WannaCry is still causing havoc over a year later. Patching is a difficult task for most businesses.
WannaCry variants, or more specifically, new malware built on the same EternalBlue code as Wannacry, pose a greater threat today. ESET published research in May 2018 showing that detections of EternalBlue-based malware have surpassed their 2017 high. Detections of EternalBlue-based assaults declined to a few hundred per day shortly after WannaCry, but gradually increased until peaking in April.
Because all EternalBlue-based malware targets the same Windows vulnerability, the fact that these assaults are becoming more common indicates that there are still a lot of unpatched Windows systems out there. It’s only a matter of time before they’re discovered by an assailant.