Let’s Talk About “Wannacry” Ransomware

Well what an eventful weekend it has been in the IT world. News stations around the world covering what will surely be considered the “Melissa Virus”, “Storm Worm”, “Conficker”, etc… of 2017, and it may not be over yet. I can’t say I didn’t see it coming, it was only a matter of time before someone took advantage of businesses on a global scale who were too ignorant, uneducated, or cheap to focus on securing some of their most valuable assets. The leaking of NSA tools just seemed to be the perfect time for hackers to do so. I don’t want that to come across as bitter, just blunt. Truthfully most businesses seem to only be concerned with IT security once they have been affected as a reactive measure, or if some compliance requires it.

Anyways lets focus on the facts more and my opinions less for a little bit here. So what exactly happened? We can lay this out on a timeline (roughly) to keep things easy on the eyes. So lets do that.

*This is just a quick overview and by no means covers every “step along the way”, but it will help us understand the buildup of technologies and threats that were combined to enable such a devastating attack.*

2005– Ransomware is declared the most plentiful and effective form of malware after outnumbering other forms of “generic” data breaches.

2013– Cryptolocker gives ransomware a “new face” by encrypting sensitive data and demanding cryptocurrency (Bitcoins) in exchange for a key to decrypt the data back to it’s usable format.

2016– LOcky, one of the many variants of Cryptolocker targets many, but finds that targets with “necessary” systems are almost instantly profitable. A few hospitals in the US and internationally are recognized as the “best” of those targeted for this exact reason.

April 14, 2017– A group of hackers on the web (ShadowBrokers) leak a collection of tools used by the NSA. Microsoft comes forward and says that they had patched these exploits prior to the leak with a “critical” classified update (on March 14th, 2017) and urges businesses to update their Windows machines if they had not already.

May 12, 2017– Wannacry Ransomware strikes! It infects over 200,000 machines in about 150 countries in its path of destruction! Like many previous versions of Ransomware it was spread through phishing attacks, tricking people to click links in emails, or open infected attachments, often PDFs. However, what truly made Wannacry so effective was the use of the NSA tools leaked in April. EternalBlue seems to be the main tool from within the leaked bunch that was utilized in spreading the attack. This tool exploits a flaw in SMB(server message block), a protocol used in almost every modern business, as it enables shared-file infrastructure to function on a network. EternalBlue acted as the “way in” and the Cryptolocker was the actual payload once in a network, encrypting millions of sensitive files. It is likely these targets were chosen based on the success and financial gain of those behind LOcky. Bottom line is hospitals and other major businesses can/should have no network downtime, they will pay fast and move on. Or at least that’s the hackers logic here.

May 12, 2017 (later that day..)– This is where the story takes an almost Hollywood style turn. A 22 year old named Marcus Hutchins, who loves surfing and pizza, and “works when he wants”, found what is being referred to as a “kill-switch” for the rapidly spreading malware. While reviewing a sample of the code in his small bedroom inside his parents house he found something out of place. It appeared that the malware looked to a specific domain/web address. If that web address responded and was registered, the malware wouldn’t encrypt files. When Marcus checked out the domain he found it wasn’t registered and for about $10, he could register the domain name; essentially stopping the encryption from spreading. He points out it most likely will only be a matter of time before this kill-switch is removed by hackers for the next more damaging version of this Ransomware, so updating your PC’s is very critical. He also is now working with government to hopefully prevent this sort of things from happening again. Way to be an IT rock-star Marcus! Very impressive and inspirational work!

There are some serious lessons to be learned here….

  • UPDATES ARE IMPORTANT! They may seem irrelevant, annoying, or pointless. But they are keeping you safe, or at least your data. Every single machine infected via the EternalBlue SMB exploit could have been safe had it just had 1 simple update.
  • Backups– Backing up your data is critical. There are various type of backups and ways to backup. Picking an appropriate backup is on you, but just know any backup is much better than no backup. If all your files get encrypted, you will at least have a non-encrypted version backed up.
  • Do NOT pay unless you have NO CHOICE– If you are the victim of a Cryptolocker, do not pay the hackers! They are going to invest a good chunk of this money into the next bigger and stronger attack. There’s also a chance they take your money and run. Lastly, if you pay, it’s likely they will remember you for next time. If there are business or legal reasons you need to pay, then you are in a tough situation and may have to resort to paying and crossing your fingers that these malicious hackers have enough moral fiber to stand true to their word. You tell me how likely that sounds…
  • In this specific case the mitigation steps would have been….
    1. Install MS17-010, the Windows update that prevents EternalBlue from working.
    2. Never open emails you were not expecting. Treat email like the phone in a sense… if someone calls you and says hey, I’m your locksmith, I need your house keys to fix your locks. Please send them to me at this address… you wouldn’t send the keys just because someone asked would you? Email is the same… someone might try to convince you that clicking a link, opening an attachment, or giving them personal information will be in your best interest. But it will not be 9.99 times out of 10.
  • Sophos Intercept X– Ok so there is a few vendors that provide technologies from what I understand, that will prevent Cryptolockers in a way that traditional anti-malware cannot. I just happen to be familiar with Intercept X as I’ve used it with customers of mine. It’s a pretty nifty program that stops file encryption when caught, and reverses it preventing all damage to your files. This is currently targeted more for businesses than home use, but like with all technology it will become more available in time. There may even be home use anti-cryptolocker solutions already that I’m just not aware of.

I was actually considering doing a little article on some of the NSA leaked tools as I played with them a little bit when they were first leaked, but this has solidified the idea. I would love to demonstrate some of the scripts and tools associated with the leak. EternalBlue was just one of the tools packaged up in a MetaSploit-style interface called FuzzBunch. It is certainly the tool with the most valuable and potential targets however which is why it was likely the one picked to help spread WannaCry.

Also worth noting, Microsoft and other security firms have publicly expressed their frustration with the NSA for not following a proper 90-day disclosure with them after finding the exploits. The attack was so bad that Microsoft actually created a patch for Windows XP an operating system they stopped patching a little over 3 years ago!

What do you think about that? Should the NSA and other security agencies follow the industry-standard disclosure? Or is keeping the “bad-guys off the streets” by allowing these vulnerabilities to exist more logical? Very interesting stuff, I cant get enough of it!

Thanks for reading!





One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s