The aftermath: WannaCry Ransomware
A week on after the outbreak of the biggest Ransomware threat, IT departments are finally getting back to normal. NHS services are back up and running, some have patched against the threat and others have implemented new cyber security measures to ensure nothing of this scale ever happens again. But what about those servers and machines that haven't seen an update in years? Or the machines running software that is no longer supported? It is safe to assume, that this attack was just the beginning, this was the first act of cyber terror caused by the leaked NSA (National Security Agency) arsenal which has been floating around the dark web and was shared by The Shadow Brokers, a group threatening to release more of this cyber-warfare tools monthly.
What is WannaCry?
WannaCry is an exploit usually known by its full name, Wanna Decryptor or wcry. It comes in two parts, the exploit that helps spread it across the network to infect as many targets as possible whilst encrypting everything in its path. After this is done, you’re left with only 2 files, instructions on what to do next and the Wanna Decryptor. Most companies have invested in software from vendors such as Kaspersky to protect themselves from Ransomware, but not every organisation can afford such a service.
WannaCry exploited a vulnerability in Microsoft Windows Operating System and affected machines with older versions of Windows or those who did not regularly update with Windows Updates. The vulnerability that was exploited was MS17-010. The malware is considered a ‘network worm’ due to the fact it includes a transport mechanism to allow it to travel across the network looking for hosts. Researchers from McAfee, Microsoft and Kaspersky also noted that WannaCry had utilised DoublePulsar, a backdoor tool also released by the Shadow Brokers on 14 April 2017. Analysis of the code showed that WannaCry had the potential to check for DoublePulsar, and if not present, it would install it by itself.
After hacking a computer successfully, WannaCry attempts to spread itself over the local network onto other computers, in the manner of a computer worm. The encryptor scans other computers for the same vulnerability that can be exploited with the help of EternalBlue, and when WannaCry finds a vulnerable machine, it attacks the machine and encrypts files on it.
Therefore, by infecting one computer, WannaCry can infect an entire local area network and encrypt all of the computers on the network. That’s why large companies suffered the most from the WannaCry attack — the more computers on the network, the greater the damage.
Is your computer vulnerable from ransomware?
Machines running an older version of Windows that is no longer supported by Microsoft will be vulnerable to WannaCry. This attack can cripple a business, and for those without a backup solution, recovering lost data could be near enough impossible. As Ransomware works by demanding a ransom, this is in no way a guarantee you will get your encrypted data back. Look at Ranscam, mentioned in our previous post, “Catching up with Ransomware” at the beginning of the year. We mentioned how instead of encrypting, it just deletes every file, but still asks for a ransom.
Where do I find the Microsoft patch for WannaCry?
Microsoft has made the patch notes available on the Microsoft TechCenter page and it is the Security Bulletin MS17-010 Critical patch. This was not a zero day flaw, but many organisations had not been utilising Microsoft's Update at server level or user level.
How to protect yourself against ransomware attacks
As mentioned in a previous post, backing up systems and having separate backup solutions is the best way to combat ransomware. Ransomware-As-A-Service is real, and the hackers behind it are not to be trusted. Paying to retrieve data should not be an option as this is funding the problem. Organisations such as the NSA are stockpiling exploits as evident by the recent revelations by Shadow Brokers and companies must do better to protect themselves. The state of the current IT infrastructure in organisations such as the NHS who are trusted by millions to uphold laws such as the Data Protection Act and ensure that our data is safe is at risk due to lack of funding. Whilst open source solutions do exist for organisations who might have financial constrictions against improving their IT, organisations and IT departments must remember the date of 12 May 2017 and realise the importance of backing up data, protection against malware and educating their users on cyber essentials.