WannaCry ransomware: Everything you need to know

WannaCry ransomware: Everything you need to know

May 14 2017 | Published by Andy Wool | Blog Foursys News Industry News

WannaCry is still a threat to UK organisations. We’ve pulled together the top information from experts around the world to give you a full debrief on the WannaCry ransomware. 

What is WannaCry (aka Wcry, WannaCrypt, Wana DeCryptor)?

WannaCry is a ransomware worm that suddenly started spreading extremely rapidly in the early hours of Friday May 12, UK time.

Despite the ransomware having lurked around in the wild for a number of weeks, the attackers tweaked the WannaCry code and released late last week. Brian Krebs reported that Lawrence Abrams, owner of the tech-help forum BleepingComputer, said WannaCry wasn’t a big player in the ransomware space until “something caused it to be spread far and wide very quickly.”

“Today, it just went nuts,” continued Abrams. “This is by far the biggest outbreak we have seen to date.”

It turned out that the ransomware worm was now designed to exploit a critical Microsoft Vulnerability, referred to as Microsoft Security Bulletin MS17-010, first made available in mid March 2017.  

Researchers at Redsocks believe that the new WannaCry variant was spammed out with a malicious link or attachment. When the user clicked on the item, the ransomware attempted to infect the Windows computer and encrypt files on the machine, promising to release them if $300 USD of Bitcoin is paid.  

WannaCry Screenshot

If there are no up-to-date backups from which to restore, paying the ransom may be the only way for an organisation to retrieve its files.

Cisco Talos published its findings on the file types that could be encrypted by the WannaCry ransomware. It includes pictures, movies, scripts, Microsoft Office file types, databases, and archived files:  

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw, .stw, .3ds, .max, .3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt, .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc

While WannaCry is infecting the victim machine, it also looks for other vulnerable unpatched Windows systems and tries to infect those systems as well. This is the feature that made WannaCry spread at such lightning-fast speed.

RedSocks say “the key factor in the ‘success’ of this malware strain called WannaCry is its lateral movement within networks.”

It turns out that its rapid propagation was also the reason that malware experts were intrigued enough to inadvertently activate the so-called  “kill switch”.

What makes it different from other ransomware?

WannaCry does all the standard things that most “successful” ransomware does - once it’s active on your computer, it trawls through your files and encrypts them with a strong encryption algorithm (in this case, 2048-bit RSA, according to Talos), uses the Tor cloaking system to hide its communications, and pops up a detailed alert telling the victim how to go about paying its Bitcoin blackmail, complete with a time limit and countdown for added urgency.

Indeed, the original version of WannaCry was in every way just like the standard ransomware campaigns, the main difference being the “.wcry” extension it added to files it had encrypted.

What makes the outbreak of second version of WannaCry such big news is the way that it spreads. The main deployment method is via the MS17-010 vulnerability in SMB.

When a victim machine is infected (and assuming the so-called “kill switch” is not tripped), the malware scans the local network for other machines with SMB connections available, and attempts to exploit the vulnerability and launch a copy of itself of each on new system encountered.

This feature is what has caused such havoc in large corporate networks, where many machines are likely to be linked together using this basic Windows functionality. It also spawns a number of processes which start probing the internet, trying random IP addresses in hopes of finding more vulnerable systems and spreading to them too.

As SANS pointed out when the exploit was first released, it is far from best practice to have open SMB connections accessible from outside the network. Nevertheless, it seems inevitable that many organisations have favoured convenience over security and made such connections available for some reason or other, giving WannaCry a foothold in their network from where it spreads further internally.

Who is vulnerable?

All Windows computers that have not installed the Critical Microsoft Security Bulletin MS17-010, issued in March 2017, are vulnerable.

MS17-010 Patch

While most Windows home users have auto-update enabled by default, which means they would not be vulnerable to this ransomware threat, organisations who had not yet installed the patch on their Windows network were acutely vulnerable to it.

Firewalls blocking SMB traffic on port 445 should provide protection against the main known infection method, but it’s likely that other methods such as spam campaigns are involved and once a machine inside the network is compromised it will attempt to spread the infection internally.

Who’s most impacted: businesses or home users?

The SMB subsystem is used for file sharing between Windows systems, and is far more common in business networks than used at home.

Indeed, many versions of Windows used at home do not have SMB networking turned on; however it is entirely possible for home users with some versions of Windows to have enabled SMB-based networking to facilitate simple file sharing within their own networks (perhaps, ironically, to connect to a network-based storage system for backups). Those who have done so are likely to have taken less care in securing their setup than experienced corporate admins typically would (eg by blocking SMB connections from outside the network at the firewall level).

On the other hand, most home users are likely to have left the Windows Update settings at the default, which is to apply patches automatically as early as possible, while many business networks require testing phases or other delays before patches can be applied.

So, while it’s likely that at least some home users will be affected, businesses and organisations with large internal networks are at much greater risk.

Why would an organisation run an unpatched system?

Traditionally, managers of complex or large networks who run business-critical systems have been cautious when applying software patches to operating systems or applications.

Changes to integral systems can impact the delicate ecosystems, and many security administrators want to test the patches in a safe environment to see whether it introduces any unforeseen complications.

For this exact reason, some administrators hesitate to upgrade the operating system to new versions, and are currently running critical systems on platforms with inherently weaker security.

In other words, some administrators apply the philosophy of ‘if it ain’t broke, don’t fix it.” Or, as Troy Hunt explains in his excellent post, “there's the often the attitude of ‘well it works fine, why should I change it?’ and this is enormously dangerous.”

Organisations that choose not to patch their systems prior to testing the update have always been advised by experts to run a tight ship with a quick turnaround.

But as we know, IT security personnel are often over-worked and under-resourced, and this can lead to increased lag times between the availability and implementation of a security patch. Windows Patch MS17-010 was made available to customers by Microsoft on March 14, almost two months ago.

And, as we have seen with WannaCry and the impact it had on the NHS, there can be disastrous costs to operating an unpatched critical network.

Is WannaCry still a threat?

There have been numerous reports that a “kill switch” was built into the WannaCry attack.

This is based on the presence in the code of a URL consisting of a string of semi-random characters which, according the the Cisco Talos blog appears to have been generated by “mashing” lots of keys from the top half of a keyboard.

This could have been intended by the authors as a way for them to disable the malware should they want to. However, it seems more likely that it was designed to defeat simple analysis by malware-hunters.

Analysts often use secure systems with a “fake” internet connection to monitor and analyze malware samples - such systems are often designed to respond to requests for any web address, whether or not it exists on the real internet.

So, malware writers sometimes use a response from a known non-existent address as a tell-tale indicator that their malware is running in an analysis system. To hide from researchers, the malware may then either terminate, as in the case of WannaCry, or try to look innocent by performing some harmless action.

Either way, the presence of the URL in the WannaCry code appears to have been first spotted by a 22-year-old security researcher based in the South-West of England and working for Californian security intelligence firm Kryptos logic, identified only as “MalwareTech. ”  

He promptly registered the domain name, so  he could monitor traffic visiting the URL and try to keep track of WannaCry’s activity.

At the time, MalwareTech had no idea of the purpose of the URL, and until further details emerged, had a “mini freakout” thinking that the act of registering the domain had led to further infections.

It later emerged in more detailed analysis from MalwareBytes that the malware that the URL is indeed used as a check mechanism, and that any copy of WannaCry which successfully connects to it immediately shuts down and does no further malicious actions.

However, the activation of the “kill switch” does NOT mean that WannaCry is no longer a danger. Researcher Didier Stevens quickly spotted that the attempt to visit the URL will fail if the compromised machine accesses the internet via a proxy. Most computers inside a business network are likely to connect via a proxy, and anyone behind a proxy can still get infected.

In situations where applying the patch is not an option, tweaking connectivity settings to allow direct connections to this specific address may be a viable, if rather labour-intensive method of mitigating the threat, for now at least - it seems almost inevitable that further versions of the same threat, or others making use of the same flaw, will emerge in the near future and will not have such an easy method of disabling the attack, so applying the patch is by far the better approach.

Who are the known victims?

First, here is a heat map created by MalwareTech to help you visualise just how fast this ransomware threat spread.

 

At least 16 hospitals in the United Kingdom were diverting patients and rescheduling procedures on Friday thanks to the WannaCry outbreak, reported Brian Krebs. This attack led to hospitals to only accept emergency cases. There was real concern that it could seriously impact care.

NHS Digital report of WannaCry

Telefonica in Spain, the former state telecommunications company was also hit. WannaCry reportedly caused computers to crash, leaving blue screens and rendering devices useless.

FedEx in the US said that it was "experiencing interference with some of our Windows-based systems caused by malware. We are implementing remediation steps as quickly as possible."

At the time of writing £26,287.14 has been given to the attackers to decrypt files. 

How do I avoid infection?

  • Apply patch Windows Patch MS17-010 immediately. Always apply operating system security patches as soon as possible. (If you are a home user, ensure that Windows Update is patching you automatically)
  • Run the latest version of the operating system. Later versions have more inherent security features, many of which are turned on by default.
  • Review your backup strategy and strengthen where possible.
  • Review and restrict access to network resources to an as-needed basis.
  • Block unnecessary ports (ensure that SMB is NOT externally accessible)

If you have any questions, queries or been hit by ransomware such as WannaCry, please contact us.