Wreaking unprecedented havoc across more than 150 countries, WannaCryptor [1], popularly referred to as WannaCry, spread like wildfire on May 12th2017. By most accounts it impacted over 200,000 users globally, including the UK’s NHS and Spain’s Telefonica. Australia was not spared either, with at least twelve local businesses reported to have been impacted [2].
[Editor’s note: This is the first in a three-part series on WannaCryptor by Nick FitzGerald. Read the second part here: WannaCryptor: what to do if your business comes under attack from this ransomware]
WannaCryptor and its variants are a type of malicious software known as ransomware. It is an increasingly popular attack method employed by cybercriminals that involves the illegal encryption of files or devices. A ransom – usually in bitcoin – is then demanded for the ‘safe recovery’ of the encrypted files or devices.
While this WannaCryptor variant did all that, it is unlike most encrypting-type malware I’ve seen: this one also has wormlike capabilities, allowing it to spread by itself. It is this new feature that accounts for WannaCryptor’s ‘15 minutes of fame’.
In ransomware attacks, the distribution vector is usually via spammed emails with a malicious attachment or link, or through a silent ‘drive-by’ installation from a compromised webpage. The spam approach was initially suspected in the WannaCryptor attack, but seems increasingly unlikely [3]. It now seems likely that the main distribution vector in this attack was WannaCryptor’s worm functionality, which depended on poor patching and network security practices.
How it spread
Regardless of its initial distribution vector, to so quickly reach the widespread distribution it achieved, WannaCryptor successfully exploited a vulnerability in most versions of the Windows OS. Specifically, it affected machines where the MS17-010 update from March 14th had not been applied, as well as older Windows versions that are no longer on mainstream support and for which there were no publicly available patches.
The outbreak started early in the work-day in Europe, and was well-established and leading the news by the middle of the day. This gave Microsoft, headquartered on the US West Coast, enough lead time to publicly release the relevant patches for Windows XP, Windows 8.0 and Windows Server 2003; patches that had previously only been available to its customers paying for custom support on those OS versions. So, it would seem that most computers that were affected had, for whatever reason, not updated the operating system with the latest security patches.
WannaCryptor’s s worm functionality works by scanning the local network and the internet for potential victim machines, attempting to exploit any Windows PC without the MS17-010 update installed. That update included a patch for the so-called EternalBlue vulnerability [4], reputedly discovered and used by the NSA, and released by the Shadow Brokers group in April this year. That was the specific vulnerability WannaCryptor used to spread.
You’ve been hit, now what?
If your PC has been compromised by the WannaCryptor ransomware, a message will display onscreen reading: “Ooops, your important files are encrypted!” The authors of the malware add that it is futile to look for a way to access the files without their assistance.
Of course, this comes at a cost – US$300 in bitcoin per affected computer.
According to the ransomware’s messaging screens, the only way to decrypt the files is to pay the ransom. However, there is never a guarantee that your files will be decrypted once you pay. After all, these are cybercriminals. Further, with its enormous success spreading to so many machines so quickly, an unusual design choice in this ransomware means working out who has paid and providing the correct decryption keys to victims is a complex procedure for the criminals behind it. Because the bitcoin blockchain is public, it’s easy to tally the payments made to the three bitcoin addresses known to be used by this malware. Based on that, as of the time of publishing this article and despite warnings not to pay up, the WannaCryptor attacks have generated almost AUD$166,000 in ransom, representing payments for around 413 affected PCs.
These attacks have highlighted multiple flaws within some organisations, security agencies and governments. This includes poor and untimely information sharing, inefficient and slow cybersecurity efforts, and financial underinvestment – all of which have created a perfect storm of opportunities for cybercriminals to exploit.
About the author
Nick FitzGerald has an extensive research background in computer malware, technical and editorial writing in the malware and e-crime field, and an in-depth knowledge of anti-malware product testing. He is well-known in the anti-malware industry as a former editor and head product tester for Virus Bulletin. As a web threats researcher, he has worked in the industry from the very earliest days of malware’s move to the web and its associated shift from “electronic graffiti” to its primarily criminal activity today. Nick is currently a Senior Research Fellow, with a particular focus on APAC, at digital protection company, ESET.
[1] https://www.welivesecurity.com/2017/05/13/wanna-cryptor-ransomware-outbreak/
[2] https://www.itnews.com.au/news/eight-australian-businesses-hit-by-wannacrypt-461810
[3] https://www.linkedin.com/pulse/wannacry-evidence-phishing-caleb-barlow
[4] https://www.welivesecurity.com/2017/05/16/check-eternalblue-pc-patched-wannacryptor-worm-vulnerability/