A wave of global ransomware attack has been a major topic of much speculation over the last few days. The WannaCry ransomware wormed its way across Europe, into the UK, and the world wreaking havoc and shutting down clinics, payments, police forces and the like.
Although the attack is far from being over, several types of research on decryption tools and quick fixes by Microsoft have slowed, and can possibly prevent, further spread.
Overview of the Attack
WannaCry is a ransomware computer worm that targets computers running the Microsoft Windows operating system.
The “payload” works just as any modern ransomware; it finds and encrypts a range of data files, then displays a “ransom note” informing the user and demanding a payment in bitcoin. In the case of WannaCry, the software demanded a ransom of $300 in bitcoins at the time of infection. If the user didn’t pay the ransom within three days, the amount doubles to $600. After seven days without payment, WannaCry threatens to delete all of the encrypted files permanently.
However, it isn’t just confined to the infected device. As a network worm, it included a “transport” mechanism to automatically spread itself via SMB, the Server Message Block protocol typically used by Windows machines to communicate with file systems over a network. This transport code scans for vulnerable systems, then uses the EternalBlue exploit to gain access, and the DoublePulsar exploit to install and execute a copy of itself.
According to Talos, the ransomware encrypted everything in terms of connected devices:
The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as ‘C:/’, ‘D:/’ etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption.
The severity of the attack can be well gauged from the fact that all it took was one infected device to kickstart the whole malware campaign.
The Attack Timeline
The attack, that stemmed from a simple instance of malware infection, amplified to an unprecedented level within a matter of hours and had security personnel working hard to revert the damage. Starting from individual researchers to major security firms, all tried their hand at containing an attack that had started to shut companies down around the world. Let us take a look at how it all grew into a massive, probably the biggest, malware attack recently.
12 May 2017
The first instance of WannaCry allegedly struck at around 8:24 AM London time, according to Financial Times. A compressed zip file in an email attachment fed the first system in Europe with the malware. With each new infection, the malware communicated with an obscure web address, which later turned out to be the attack’s Achilles heel.
The domain being inactive, communication failed and the code proceeded without termination. The malware now mobilized code repurposed from the NSA’s EternalBlue exploit to understand the system’s file sharing arrangements, and began spreading across the local network and online.
Spanish mobile operator Telefonica was among the first to confirm a compromise. Several employees encountered the standard message demanding payment in bitcoins in exchange for their locked data. However, Telefonica said the impact of the attack was limited to some computers on an internal network and had not largely affected clients or services.
Health Services and Automobiles in UK Impacted
The first major wave of attacks mostly crippled the health care systems across England. National Health Services was hit hard, with as many as 40 Trusts affected overall. A number of hospitals and clinics are reporting that their computer and telephone systems were inaccessible.
In a brief statement, NHS stated no patient data had been compromised. Emergency services were called up, and up to 70,000 devices, including computers, MRI scanners, blood storage refrigerators and theater equipment were out of operation. Moreover, lack of IT supports severely hampered appointments and critical surgeries.
Soon after, the attack spread massively, resulting in major system shut-downs. Japanese car maker and Renault partner Nissan stopped production at its plant in Sunderland. French automotive company Renault temporarily suspended its operations in sites as a precaution.
Microsoft’s Quick Response
Microsoft had, surprisingly, previously patched the SMB vulnerability, but it had only secured the current platforms since Microsoft no longer supplies mainstream security patches for older versions of Windows. NHS and other major global organizations that still relied on the outdated Windows XP were thus left vulnerable.
However, Microsoft made an exception to its policy. With the ransomware attack amassing nearly 200,000 victims, Microsoft quickly released a new patch for the older systems, namely Windows XP, Server 2003 and Windows 8. Their blog clearly spelled out the steps every individual and business should take to stay protected.
The Killswitch Discovery
It was by sheer luck that a 22-year-old independent infosec researcher Marcus Hutchins, going by the name MalwareTech, discovered that the ransomware tried to connect to an unregistered domain name. The domain name – iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – seemed like an odd hand typed combination. This provided an opening for possible circumvention and seemed counter-intuitive to the goal of infecting as many machines as possible.
All it took was registering the site and WannaCry stopped the installation process when it discovered that the domain name registered. Of course, this temporary solution only worked with the domain name that MalwareTech had registered.
While this did not help already infected systems, it severely slowed the spread of the initial infection and gave time for defensive measures to be deployed worldwide, particularly in North America and Asia, which had not been attacked to the same extent as elsewhere.
Analysis of the kill switch suggested that it may, in fact, be a bug in the malware whose code was originally intended to make the attack harder to analyze.
However, the kill switch domain needs to be available locally, and the response must be able to reach the malware to effectively work. Some network configurations may prevent the kill switch from working.
13 May 2017
Attacks Rise, Governments Fall
By now, 75,000 systems had been infected by WannaCry in 99 countries. According to Kaspersky Lab, the four most affected countries were Russia, Ukraine, India, and Taiwan. It had also caused disruption to the railways in Germany and payments systems at petrol stations across China, and FedEx had its logistics operations affected. Attacks had also been launched on the Russian interior ministry, which reported roughly 1,000 computers affected.
A list of all affected organizations and sectors has been made available. Due to the sheer enormity of the attack, it is reasonable to expect a scramble for solutions. Needless to say, security companies saw a rise in shares, resulting from the rush to buy shares in cyber security firms as a result of the attacks.
14 May 2017
Speculation as the Attack Continues
Europol’s director Rob Wainright warned that the WannaCry ransomware had reached 150 countries and hit at least 200,000 victims. With the attack surmounting to an unprecedented level, several organizations started speculations over its spread and impacts.
In a statement on Microsoft’s blog, general counsel Brad Smith said that WannaCry provides “yet another example of why the stockpiling of vulnerabilities by governments is such a problem”.
Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.
Arne Schönbohm, President of Germany’s Federal Office for Information Security (BSI), stated that “the current attacks show how vulnerable our digital society is. It’s a wake-up call for companies to finally take IT security [seriously]”.
A number of experts used the publicity around the attack as a chance to reiterate the value and importance of having good, regular and secure backups, good cybersecurity including isolating critical systems, using appropriate software, and having the latest security patches installed.
15 May 2017
Health Secretary Breaks Silence
Health secretary Jeremy Hunt appeared on Sky News to comment on the attacks after having been accused of hiding from the issue. He said:
According to our latest intelligence we have not seen a second wave of attacks and the level of criminal activity is at the lower end of the range that we had anticipated so I think that is encouraging. But the message is very clear not just for organisations like the NHS but for private individuals for businesses.
Possible Involvement of North Korea
Google security researcher Neel Mehta noticed large swaths of code in an early version of Wanna Cry being identical to a code used by the Lazarus Group. The Lazarus Group is a hacking organization believed to be operating from China but with links to North Korea.
To aid further study, Mehta tweeted road-map researchers could use to find the overlapping code. Kaspersky Lab noted that the matching code was removed from later versions of the ransomware, which they believe would be unlikely if it had been intended to throw researchers off the scent of the real criminals.
Although this observation was significant, Symantec researcher Eric Chien warned that it might only be a “temporal link”, and no credible conclusion can be drawn from it.
16 May 2017
ShadowBrokers Threaten to Release More Tools
The ShadowBrokers, the group behind the original leak of EternalBlue developed by American spy agency the NSA, promised more leaks to come starting from June this year. They claimed to have a new collection of tools and vulnerabilities aimed at the newer software, including Windows 10.
In their blog post, the group said they had more Ops Disks, which were apparently stolen from the NSA. This included exploits for web browsers, routers, smartphones, data from the international money transfer network Swift and “compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs”.
The group promises monthly release of such tools, but their motive behind the released remains a mystery. However, it is clear that they intend to hand over their alleged tools for a price to any willing party.
In her analysis of the Shadow Brokers’ threat, independent security researcher Marcy Wheeler wrote that “simply by threatening another leak after leaking two sets of Microsoft exploits, Shadow Brokers will ratchet up the hostility between Microsoft and the government”.
Microsoft iterated that it was aware of Shadow Brokers’ most recent claim and that its security teams monitor potential threats in order to “help us prioritize and take appropriate action”.
18 May 2017
BT Customers Receive Phishing Mails
In light of the WannaCry attacks, BT customers were targeted with a phishing scam to swindle users into accepting their fake temporary remedy for the malware.
The fraudulent emails warn customers that BT is updating its systems to protect its customers from such attacks. It asks them to confirm a security upgrade that gives it “temporarily limited access to profile features that contain sensitive data“.
The message, like any phishing mail, asks users to provide personal information, something a company would never request for an upgrade. Employees have been warned, and companies are sending out legitimate emails of reassurance.
WannaKey and WanaKiwi: Decryption Tools Released
Adrien Guinet, a French security researcher from Quarkslab, was able to decrypt an infected computer running Windows XP by discovering the prime numbers that made up the WannaCry private key. This private key is what a ransomware victim needed to buy off his attackers and regain access to locked files.
He found that when WannaCry infects a system, it generates encryption keys based on prime numbers. CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory on Windows XP.
So, if the infected system had not been rebooted, those primes would still be available for decryption.
It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.
The decryption tool, dubbed WannaKey, has been released for public use, but not tested on a large scale yet. As of now, this fix only works on Windows XP machines, which contrary to the initial reports, was probably not badly hit.
Another security researcher, Benjamin Delpy, released “WanaKiwi,” an easy-to-use decryption tool based on Guinet’s findings. Victims need to download WanaKiwi tool from Github and run it on their affected Windows computer using the command line.
WanaKiwi works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008, as confirmed by Matt Suiche of Comae Technologies. However, it does not work on every system owing to dependencies. Demonstrations have been provided showing how to use WanaKiwi to decrypt your files.
The malware presented three Bitcoin addresses for the transaction. Considering the sheer enormity of the attack, it is no wonder that a considerable amount of ransom was paid by harried users.
|Address||Total transactions||Amount paid (in bitcoins)|
The payments surmounted to a total of 45.96652942 BTC (equivalently, $85,833.13 USD). While initially, users held off paying because of the three-day window, transactions went up as the D-day drew closer.
A live twitter bot keeps track of all transactions on the three accounts, with a totals update every two hours.
The attack reiterates the need for safety precautions like backing up the system and keeping their device up to date. It is necessary that all users follow these norms to protect themselves from further risks.