Looking inside the recent worldwide ransomware attack.
In the last few
days, the computing world experienced the one of the largest cyber
attacks. Reports to date indicate that the Wanna Cry ransomware has
infected Windows 10 computers in more than 100 countries. It has
successfully attacked computers in Britain’s National Health
Service (NHS), causing a number of hospitals to delay surgeries, and
to put their emergency departments on bypass as they could not access
patient files.
Typically, many media outlets across the globe have grabbed at this story, and have talked up this attack, providing unnecessary hype. Even media here in Australia is trying to frame this as a cyber attack on Britain’s hospitals, because it gets their articles exposure. But what is the real truth behind this.
Typically, many media outlets across the globe have grabbed at this story, and have talked up this attack, providing unnecessary hype. Even media here in Australia is trying to frame this as a cyber attack on Britain’s hospitals, because it gets their articles exposure. But what is the real truth behind this.
What is this malware?
The name of this
malware is, “Wanna Cry” (or “WannaCry”), also called
“WannaCryptor” and “WannaDecryptor”. It is a form of
ransomware. But it is different to many other ransomware attacks.
It has the same effect as other ransomware attacks – the desktop PC is infected, copies of the user’s data files are encrypted rendering them worthless to the owner without the decryption key. The perpetrators may unlock the files with their decryption key in exchange for a ransom payment, but there is no guarantee that they will play nice.
How this attack differs from other ransomware is in its method of delivery. Most ransomware to date has been delivered like a poisoned sweet – a link in an email or webpage, that when clicked downloads the malware to the user’s computer. Wanna Cry however uses its NSA heritage to advantage – it is essentially a weaponised form of ransomware, that seeks out vulnerable computers and chooses to attack them. Further to this, Wanna Cry also exhibits worm-like behaviour, using infected PCs to search for other vulnerable PCs on their network for more attacks to occur – essentially it is capable of pack hunting.
The ransomware payload is also quite advanced. It is reportedly capable of encrypting users files that are on connected external hard-drives (including thumb drives), and on cloud storage such as Dropbox and One Drive.
It has the same effect as other ransomware attacks – the desktop PC is infected, copies of the user’s data files are encrypted rendering them worthless to the owner without the decryption key. The perpetrators may unlock the files with their decryption key in exchange for a ransom payment, but there is no guarantee that they will play nice.
How this attack differs from other ransomware is in its method of delivery. Most ransomware to date has been delivered like a poisoned sweet – a link in an email or webpage, that when clicked downloads the malware to the user’s computer. Wanna Cry however uses its NSA heritage to advantage – it is essentially a weaponised form of ransomware, that seeks out vulnerable computers and chooses to attack them. Further to this, Wanna Cry also exhibits worm-like behaviour, using infected PCs to search for other vulnerable PCs on their network for more attacks to occur – essentially it is capable of pack hunting.
The ransomware payload is also quite advanced. It is reportedly capable of encrypting users files that are on connected external hard-drives (including thumb drives), and on cloud storage such as Dropbox and One Drive.
Was it a targeted attack?
Given that Windows
computers in more than 100 countries around the globe have been
infected within a short period of time, this suggests that the NHS
was not specifically targeted. Malware researchers have been able to
determine that the heart of Wanna Cry is an exploit developed by the
NSA, which was leaked to the world by the hacker team, the Shadow
Brokers. To put it simply, an exploit is a tool that is made to
specifically break into computers that have a pre-existing
vulnerability. All the computers that have been infected would have
shared this vulnerability; they were Windows computers, they did not
have the most recent patches, and their anti-malware applications did
not detect and stop the Wanna Cry attack.
So what can we say for certain about the targets of this attack? Anyone with an un-patched Windows 10 system.
Can we rule out this being an attack against British hospitals? No, but it would appear to be a less likely scenario. Given how the attack was carried out, it would appear that the hackers who conducted the attack were prototyping what they could do, finding out who was vulnerable.
So what can we say for certain about the targets of this attack? Anyone with an un-patched Windows 10 system.
Can we rule out this being an attack against British hospitals? No, but it would appear to be a less likely scenario. Given how the attack was carried out, it would appear that the hackers who conducted the attack were prototyping what they could do, finding out who was vulnerable.
Has the attack stopped?
Yes, for now. A
malware researcher investigating the behaviour of Wanna Cry noticed
that the ransomware was reporting back to a number of servers, one of
which was not part of a registered domain. To be able to track the
spread of the ransomware better, he registered the domain name and
set up his own server. Inadvertently, this stopped the ransomeware.
The ransomware had been configured not to successfully connect to a
server at the unregistered domain, as if it were in a sand-boxed
environment. Connection to this new server tricked the malware into
thinking that it was no longer in the sand-box and shut it down.
This revelation could suggest that this attack was just a test. Perhaps it was perpetrated by a state-based actor (an intelligence agency for example) who wanted to see how good the tools that were liberated from the NSA were, but to still be able to kill off their test at some point. Perhaps the perpetrators were a criminal element who want to sell their new tools, giving a potential buyer a taste of what they can do. Perhaps it was a team of hackers who made some mistakes.
Either way, one thing is certain, now that the World has learned of Wanna Cry, and the weakness in how it was used this time, you can bet that there will be future attempts to use Wanna Cry or a variation of it where the current weakness will be removed.
This revelation could suggest that this attack was just a test. Perhaps it was perpetrated by a state-based actor (an intelligence agency for example) who wanted to see how good the tools that were liberated from the NSA were, but to still be able to kill off their test at some point. Perhaps the perpetrators were a criminal element who want to sell their new tools, giving a potential buyer a taste of what they can do. Perhaps it was a team of hackers who made some mistakes.
Either way, one thing is certain, now that the World has learned of Wanna Cry, and the weakness in how it was used this time, you can bet that there will be future attempts to use Wanna Cry or a variation of it where the current weakness will be removed.
Can my anti-malware suite stop Wanna Cry?
Reports suggest that
the most recent versions of Kaspersky Labs and BitDefender
anti-malware suites are capable of stopping Wanna Cry if they have
the latest malware definitions (regularly updated).
How do I protect myself from Wanna Cry?
The steps to protect
you and your data from ransomware such as Wanna Cry are relatively
simple, but have their costs, in terms of time and money. They are
however far cheaper and will cost you less time than falling victim
to such attacks.
- Install Windows security patches, and setup automatic downloading and installation of Windows patches.
- Back up your data on offline hard drives. The ransomware will encrypt files on any connected external drives such as a USB thumb drive, as well as any network or cloud file stores. So, connect your external drive or thumb drive, backup your files, disconnect your drive. Repeat on a weekly basis - or monthly if you don't use your computer that much.
- Patch and update your software and make sure you have all Windows updates on your machine.
- Use a reputable security suite. To check for recommended products, or to see how effective your current anti-malware is, check out the Anti-Virus Comparative – Real World Protection Test results for March 2017, available at: https://www.av-comparatives.org/wp-content/uploads/2017/04/avc_factsheet2017_03.pdf
- If you still feel uncertain, or in the dark, talk with your local computer specialist.
