WannaCryptor, dubbed “WannaCry” in the media, has been one of the biggest cybersecurity stories in 2017. Leveraging the leaked US National Security Agency (NSA) exploit EternalBlue, the malware spread across the globe at an unprecedented scale and speed for a piece of ransomware. In fact, such fast-spreading malware of any kind has not been seen for many years.
[Editor’s note: This is the second in a three-part series on WannaCryptor by Nick FitzGerald. Read the first part here: WannaCryptor: what is it and how do you know if your business has been attacked?]
Mass-spreading worms, which were common in the mid-2000s, had pretty much gone the way of the dodo, and it seems that some of the hard-learned IT security lessons from that time may have been lost with them. The big risk with this particular attack has been with machines that have not been patched against the vulnerabilities fixed in the MS17-010 update, and WannaCryptor certainly found plenty such machines.
The most dangerous part of this attack was not the WannaCryptor ransomware itself, but the EternalBlue exploit, which abused a vulnerability in unpatched Windows systems, allowing the infection to spread to other unpatched computers. While the WannaCryptor ransomware remains the most visible, the exploit can still be and is being used in the wild by any other malware and malicious actors – not just ransomware.
Among many other things, the MS17-010 update fixed the remote code execution vulnerability that the NSA EternalBlue tool used. Organisations that had failed to install the Windows update were most vulnerable to contracting the WannaCryptor ransomware. Once it gained initial access to a network, perhaps through users opening dubious email attachments, it would find its way to all other machines on the network with the EternalBlue vulnerability still unpatched.
Should you, or someone in your office, experience a ransomware attack, there are a few things you can do to reduce the damage.
In general, if ransomware has been executed, isolate the victim machine from the network as quickly as possible. Pull network cables from the machine or from their wall socket, or alternatively pull the patch cables from the switches or routers connecting that machine to the rest of the network. If the machine is on a Wi-Fi connection, disable the wireless interface of that machine (via the keyboard shortcut for airplane mode on a laptop, or Windows‑X then “Turn wireless off”) or shutdown all access points within range of the machine.
Next, take pictures of any screen messages displayed by the ransomware. Make sure these are clear and the text readable, as these will be helpful later in diagnosing the attack. After disabling any Wi-Fi connections, hibernate the machine. If hibernation has not been previously enabled, then usually I would recommend turning the machine off entirely.
However, in the WannaCryptor case, at least for some OSes, the decryption keys could be re-generated by capturing data in memory; data lost through a power cycle or reboot. The shortcoming in the Windows Crypto API that allowed this possible route to recovery was not discovered until several days after the outbreak. This flaw may be usable in enabling recovery in future ransomware incidents, so hibernating is definitely my preferred approach now.
Eventually you will need to turn the machine back on, without reconnecting to the network and allowing the malware to spread again. This approach won’t help with any damage that has already been done, but the worm functionality of WannaCryptor means that it can spread very rapidly to any other machines on the local (home, office, or corporate) network if they do not have the MS17-010 patch installed.
By not doing this, all files on local drives and networks to which the affected machine’s user currently has write access will be encrypted. Thus, “pulling the network plug” on the “patient zero” machine is a good start to limiting the damage. In general, this step is not expected to cause any further harm, even for more “usual” ransomware that does not have worm-like spreading functionality.
Next, you have to decide whether to isolate any other PCs, as a precaution. Any that you suspect the malware has spread to or has otherwise been executed on, should definitely be isolated from the rest of the network.
Analysis and recovery:
Once you’re sure an outbreak has been arrested and contained, carefully analyse what happened. Collect as much detail as possible. Work out what data was affected, whether you can recover it from backup, and what the ransomware was. The photos from the first step will be useful here. So too will be any copies of ransom note files and the usually distinctive file extension added to the encrypted files that you might find on network shares that any affected users had write access to.
If most encrypted files can be recovered from backups, save copies of the encrypted files somewhere safe just in case, as generic decryptors for specific ransomware variants sometimes become available long after an attack, when master keys are released or leaked. Then, restore affected files from your backups, clean-up the affected machine(s) and get back to work!
You may want to check with your endpoint security provider’s customer support team before starting all this, as they will have experience handling such situations and will be able to provide useful guidance specific to the ransomware used in your attack. Finally, check that all your systems are updated and have automatic security updates enabled. Unless you live somewhere devoid of natural disasters and where disk drives never randomly fail, I also recommend you have good, working and tested backup and restore systems (notice, plural!) in place.
Beyond the WannaCryptor ransomware case, it’s extremely important to verify whether your computer is patched against EternalBlue, considering the possibility of other malware popping up to exploit it in the near future. The recent ransomware attacks should instil renewed determination for more urgent collective action by businesses.
About the author
Nick FitzGerald has an extensive research background in computer malware, technical and editorial writing in the malware and e-crime field, and an in-depth knowledge of anti-malware product testing. He is well-known in the anti-malware industry as a former editor and head product tester for Virus Bulletin. As a web threats researcher, he has worked in the industry from the very earliest days of malware’s move to the web and its associated shift from “electronic graffiti” to its primarily criminal activity today. Nick is currently a Senior Research Fellow, with a particular focus on APAC, at digital protection company, ESET.