WannaCry: The Fallout

15th May 2017 in
,
  1. New infection of machines by this variant of WannaCry has been halted after the discovery of a kill switch.
  2. All Windows Operating Systems still receiving security patches (Vista, 7, 8.1, 10, Server 2008, Server R2, Server 2012, Server 2012 R2, Server 2016) are STILL VULNERABLE unless you have applied Microsoft security hotfix MS17-010 released April 2017 via your windows updates.
  3. All Legacy Microsoft Operation Systems no longer receiving security patches (XP, Windows 8, Server 2003) are STILL VULNERABLE unless you have applied Microsoft emergency security hotfix MS17-010 for legacy operating systems released on Saturday Morning
  4. Organisations should block SMB ports (TCP139,445) incoming from the internet on external facing hosts.
  5. Organisations should further block unnecessary SMB traffic between hosts while remediation is in progress.
  6. Employees should take care to avoid unsolicited emails or attachments, as opportunistic cyber-criminals of many variants will be looking to capitalise on the tendency to ‘panic’ in such a situation.

Introduction

On Friday 12th May 2017 at approximately 9am UTC a massive Ransomware attack was launched on a global scale. This attack was accomplished by bolting on recently stolen and released Nation State level cyber weapons to existing ransomware to create an attack that was unprecedented in its effects.

Worst affected was the UK National Health Service, whose antiquated IT systems led to a complete loss of service causing it to issue advice for UK residents to avoid hospitals.

Background

The Equation Group is a highly sophisticated threat actor suspected of being tied to the United States National Security Agency (NSA)

This group is widely believed to be behind advanced malware that seems to target national level infrastructure such as 2010’s Stuxnet attack on Iran’s nuclear program.

NSA Cyber Weapons were released by Shadow Brokers group in April 2017

A group known as the Shadow Brokers stole tools and malware code belonging to the Equation Group. After attempting multiple unsuccessful methods of sale of these cyber weapons they eventually released a cache of 2013 era tools to the public apparently in protest of American President Trump.

Ransomware encrypts user’s files and offers to decrypt them for a price.

It has been an attack vector since at least the ‘AIDS Trojan’ in 1999, however there has been a marked increase in recent years with the increased prevalence of the general public leading a more online life and the ease of hard to trace ransoms via methods like bitcoin. Paying the ransom does not necessarily mean you will get back you files either as some malicious threat actors will leave your data inaccessible after payment of the ransom.

SMB (Server Message Block) is a protocol that allows file sharing on Windows machines

SMB is used extensively in Windows environments in order to allow file sharing between computers for example with Shared Drives. It uses TCP ports 139 and 445 for communication.

Analysis

This variant of the WannaCry ransomware was detected approximately 9am UTC on 12th May

Researchers at Talos Intelligence detected call backs to the kill switch domain from this time.

Initial infection suspected to be via infected files delivered by Phishing Emails.

WannaCry is believed to enter a network either using the ETERNALBLUE SMB vulnerability described below or via infected files send in Phishing emails. Antivirus vendors have issued updated malware signatures to detect these files but bear in mind that this will only stop the currently known variant.

Secondary spread via SMB protocol using NSA Equation Group vulnerabilities

Once a machine is infected it spreads to other machines on the same network, finding them by scanning on TCP port 445. Once a potential victim machine is determined the WannaCry worm is able to utilise the ETERNALBLUE SMB vulnerability to infect those machines that have not been patched with MS17-010

Persistent backdoor installed after infection

Once the machine is compromised the WannaCry worm then downloads the NSA Equation Group’s DOUBLEPULSAR malware downloader. This implants a persistent backdoor which then installs the ransomware payload.

Kill Switch was accidentally triggered by security researcher

The spread of WannaCry was accidentally halted when a operating under the Twitter name of MalwareTechBlog found references in the malware code to check domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. After registering the domain it was determined that a successful check against that domain acted as a kill switch and prevented new infections. This happened prior to much of the Americas coming online and so they were lightly hit.

Multiple large organisations across the globe have been hit.

The attack has affected large critical national infrastructure providers such as Telefonica in Spain, the National Health Service in the UK and to a lesser extent Deutsche Bahn in Germany. Private companies have also been affected such as FedEx in America and LATAM airlines based in South America.

At time of writing approximately 195,000 hosts have been infected in the last 24 hours.

The initial demand is to pay $300 worth of bitcoin. This rises after 3 days to $600. There is of course no guarantee that this will secure release of the files.

This ransomware uses classic threats and timers to create a sense of urgency.

Malware installs Tor in an attempt to hide traffic leaving the network.

During the initial infection process the Tor software is installed and WannaCry connects to several tor exit nodes to proxy its traffic through the Tor network and allow for command and control of the ransomware .

Ransom paid to the 3 bitcoin wallets is at time of writing $38,800.

The ransom is directed to be paid to 1 of 3 bitcoin wallets. Researchers are tracking these wallets in real time to ascertain the amount of ransom being paid.

Conclusion

While this attack has been devastating to many it was not unforeseen. The NSA leaked tools used in this attack have now been on the open market for several weeks and the vulnerabilities utilised have been resolved in critical security patches released several weeks ago.

So why did this attack cause such widespread damage?:

Critical Security Patches not being applied in a timely manner – Critical security patches are just that. Your patching cycle should take into account how to test and deploy critical patches in a rapid manner. From the moment a security patch is released, malware authors are reverse engineering the patch to work out what the flaw was so they can exploit lethargic patchers.
Poor training of users to detect suspect phishing emails – Users are not receiving the training they require to be able to spot increasingly advanced spoofing and phishing techniques. The weakest point of your security is always going to be the human element so ‘hardening’ them against attack is critical to protecting your corporation.
Poor Disaster Recovery and Backup planning – In the modern world you mitigate the risks of an attack as well as you can but thinking that you are too small or too unimportant to be attacked is tantamount to sticking your head in the sand. All companies should be adopting an ‘Assume Breach’ posture with adequate planning for how to maintain Business as Usual and recover if the worst happens. This includes taking and testing of appropriate backups. In the case above, this could allow you to quickly recover critical data and systems without having to resort to being extorted.

More recent stories

7th August 2020
The Magnitsky Act: A gamechanger at last?
Read More
24th July 2020
“And every tale condemns me for a villain…”
Read More