A massive cyberattack has struck computers all over the world. The highly virulent self-replicating ransomware — known as WanaCryptor, Wannacry, or Wcry — has in part appropriated a National Security Agency (NSA) exploit released into the wild last month by a hacking group known as The Shadow Brokers.
The ransomware is thought to have infected at least 100,000 computers, according to antivirus developers, Avast. The massive attack predominantly targeted Russia, Ukraine, and Taiwan, but spread to major institutions across at least 99 other countries. Aside from demanding $300 (around 0.17 Bitcoin at the time of writing), the infection is also notable for its multi-lingual approach to securing the ransom: the malware supports more than two-dozen languages.
What Is Going On?
WanaCryptor is causing massive, almost unprecedented disruption. The ransomware is affecting banks, hospitals, telecommunications, power utilities, and other mission-critical infrastructure.
In the U.K. alone, at least 40 NHS (National Health Service) Trusts declared emergencies, forcing the cancellation of important surgeries, as well as undermining patient safety and security and almost certainly leading to fatalities.
— Ollie Cowan (@Ollie_Cowan) May 12, 2017
WanaCryptor first emerged in February, 2017. The initial version of the ransomware changed affected file extensions to “.WNCRY” as well as marking each file with the string “WANACRY!”
WanaCryptor 2.0 is spreading rapidly between computers using an exploit associated with the Equation Group, a hacking collective closely associated with the NSA (and heavily rumored to be their in-house “dirty” hacking unit). Respected security researcher, Kafeine, confirmed that the exploit known as ETERNALBLUE or MS17-010 was likely to have featured in the updated version.
WannaCry/WanaCrypt0r 2.0 is indeed triggering ET rule : 2024218 "ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response" pic.twitter.com/ynahjWxTIA
— Kafeine (@kafeine) May 12, 2017
This ransomware outbreak is different to what you may have already seen (and I hope, not experienced). WanaCryptor 2.0 combines the leaked SMB (Server Message Block, a Windows network file sharing protocol) exploit with a self-replicating payload allowing the ransomware to spread from one vulnerable machine to the next. This ransom-worm cuts out the usual ransomware delivery method of an infected email, link, or other action.
Adam Kujawa, a researcher at Malwarebytes told Ars Technica “The initial infection vector is something we are still trying to find out… Considering that this attack seems targeted, it might have been either through a vulnerability in the network defenses or a very well-crafted spear phishing attack. Regardless, it is spreading through infected networks using the EternalBlue vulnerability, infecting additional unpatched systems.”
WanaCryptor is also leveraging DOUBLEPULSAR, another leaked NSA exploit. This is a backdoor used to inject and run malicious code remotely. The infection scans for hosts previously infected with the backdoor, and when found uses the existing functionality to install WanaCryptor. In cases where the host system doesn’t have an existing DOUBLEPULSAR backdoor, the malware reverts back to the ETERNALBLUE SMB exploit.
Critical Security Update
The massive leak of NSA hacking tools made headlines around the globe. Immediate and unrivalled evidence that the NSA collects and stores unreleased zero-day exploits for its own use is out there. This poses an enormous security risk, as we have now seen.
Fortuitously, Microsoft patched the Eternalblue exploit in March before the Shadow Brokers’ massive weapons-grade exploit-trove hit the headlines. Given the nature of the attack, that we know this specific exploit is in play, and the rapid nature of infection, it would seem a huge number of organizations have failed to install the critical update — more than two months after its release.
Ultimately, affected organizations will want to play the blame game. But where should the finger point? In this case, there is enough blame to share around: the NSA for stockpiling dangerous zero-day exploits, the malefactors who updated WanaCryptor with the leaked exploits, the numerous organizations that ignored a critical security update, and further organizations still using Windows XP.
That people may have died because organizations found the burden of upgrading their primary operating system is simply startling.
Microsoft have immediately released a critical security update for Windows Server 2003, Windows 8, and Windows XP.
— Microsoft (@Microsoft) May 13, 2017
Am I at Risk?
WanaCryptor 2.0 spread like wildfire. In a sense, people outside the security industry had forgotten the rapid spread of a worm, and panic it can cause. In this hyper-connected age, and combined with crypto-ransomware, the malware purveyors were onto a terrifying winner.
Are you at risk? Luckily, before the United States woke-up and went about its computing day, the MalwareTechBlog found a kill-switch hidden in the malware code, curtailing the spread of the infection.
The kill-switch involved a very long nonsensical domain name — iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com — that the malware makes a request to.
So I can only add"accidentally stopped an international cyber attack" to my Résumé. ^^
— MalwareTech (@MalwareTechBlog) May 13, 2017
If the request comes back live (i.e. accepts the request), the malware doesn’t infect the machine. Unfortunately, that doesn’t help anyone already infected. The security researcher behind MalwareTechBlog registered the address to track new infections via their requests, not realizing it was the emergency kill switch.
— Darien Huss (@darienhuss) May 12, 2017
Unfortunately, there is the possibility that other variants of the ransomware exist, each with their own kill-switch (or not at all, as the case may be).
The vulnerability can also be mitigated by disabling SMBv1. Microsoft provides a thorough tutorial on how to do this for Windows and Windows Server. On Windows 10, this can be quickly achieved by pressing Windows key + X, selecting PowerShell (Admin), and pasting the following code:
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
SMB1 is an old protocol. More recent versions are not vulnerable to the WanaCryptor 2.0 variant.
In addition, if your system has updated as normal, you’re unlikely to feel the direct effects of this particular infection. That said, if you had an NHS appointment cancelled, banking payment gone awry, or a vital package failed to arrive, you’ve been affected, regardless.
And word to the wise, a patched exploit doesn’t always do the job. Conficker, anyone?
What Happens Next?
In the U.K., WanaCryptor 2.0 was initially described as a direct attack on the NHS. This has been discounted. But the issue remains that hundreds of thousands of individuals experienced direct disruption due to malware.
The malware bears hallmarks of an attack with drastically unintended consequences. Cybersecurity expert, Dr. Afzal Ashraf, told the BBC that “they probably attacked a small company assuming they would get a small amount of money, but its got into the NHS system and now they have the full power of the state against them — because obviously, the government cannot afford for this sort of thing to happen and be successful.”
It isn’t just the NHS, of course. In Spain, El Mundo report that 85 percent of computers at Telefonica were affected by the worm. Fedex confimed they had been affected, as well as Portugal Telecom, and Russia’s MegaFon. And that is without considering the major infrastructure providers, too.
Two bitcoin addresses created (here and here) to receive ransoms now contain a combined 9.21 BTC (around $16,000 USD at the time of writing) from 42 transactions. That said, and corroborating the “unintended consequences” theory, is the lack of system identification provided with the Bitcoin payments.
Maybe I am missing something. If so many Wcry victims have the same bitcoin address, how are the devs able to tell who paid? Somethings ??.
— BleepingComputer (@BleepinComputer) May 12, 2017
So what happens next? The cleanup process begins, and affected organizations count their losses, both financial and data-based. Furthermore, affected organizations will take a long, hard look at their security practices and — I truly, truly hope — update, leaving the antiquated and now dangerous Windows XP operating system behind.
Were you directly affected by WanaCryptor 2.0? Have you lost data, or had an appointment cancelled? Do you think governments should force mission-critical infrastructure to upgrade? Let us know your WanaCryptor 2.0 experiences below and give us a share if we’ve helped you out.
Image Credit: Everything I Do via Shutterstock.com