WannaCry Ransomware Explained

[harlan4096]

How one of the most dangerous ransomware outbursts happened. Key lessons organizations should learn.

Ransomware has become one of the main cyber threats that can have devastating effects on organizations, resulting in financial damage, corporate instability, and reputational harm. This type of malware uses complex encryption algorithms which lock up all files on a machine unless a decryption key is used to retrieve the data. A ransom message appears on the device’s screen, demanding the victim to pay a certain amount of money (usually in the Bitcoin cryptocurrency) in exchange for the passkey (with no certainty of the malicious hackers keeping their promise).

This sequence of events occurred one too many times during the past three decades since the first strain of ransomware was invented.

Back in 2017, the WannaCry ransomware became one of the most devastating cyber-attacks ever seen. It swept the entire world, locking up critical systems all over the globe and infecting over 230,000 computers in more than 150 countries in just one day.

The UK’s National Health Service (NHS), FedEx, Spain’s Telefónica, or Renault-Nissan are merely a few names that became high-profile victims of crippling WannaCry ransomware attacks.

In this article, I will dissect the WannaCry outbreak and provide tips for organizations to defend themselves against ransomware attacks, so stay tuned until the end.

What is the WannaCry ransomware attack?

WannaCry is a crypto-ransomware type, a malicious software used by attackers in the attempt to extort money from their victims. Unlike locker ransomware (which locks targets out of their device so they are unable to use it), crypto-ransomware only encrypts the data on a machine, making it impossible for the affected user to access it.

Just like any type of crypto-ransomware, this is exactly what WannaCry does: it takes the victims’ files hostage, claiming to restore them only if they paid a ransom.

Who was affected by WannaCry?

WannaCry targeted devices running Microsoft Windows OS, encrypting the data and requesting payment in Bitcoin in exchange for their return.

WannaCry behaved like a worm-type attack vector, being able to self-propagate on Windows devices. However, the fact that it was a worm was not the most significant thing about it. Instead, the methods it used to distribute itself were a concern, as they leveraged some critical Windows bugs that had been fixed by Microsoft two months before the outbreak.

WannaCry used an exploit dubbed “EternalBlue”, which took advantage of a security vulnerability that allowed malicious code to propagate without the user’s consent across systems set up for file-sharing.

What is EternalBlue?

EternalBlue is the vulnerability exploit name for the Service Message Block (SMB) protocol (CVE-2017-0144) implementation in Windows. The weakness originated from a bug that made it possible for a remote attacker to execute arbitrary code on a targeted machine and transmit specially designed data packets.

EternalBlue was created by the United States National Security Agency (NSA) as part of a questionable initiative of stockpiling and weaponizing software vulnerabilities rather than reporting them to the relevant provider, according to denouncing comments made by Microsoft.

The malicious hacker group Shadow Brokers leaked the cyberweapon in April 2017 and posted it online.

EternalBlue was one of the most useful vulnerabilities in the NSA’s cyber arsenal until it got stolen. Security experts spent nearly a year discovering a flaw in Microsoft’s program and writing the code to target it, according to three former NSA operators. They referred to it originally as EternalBluescreen because it frequently crashed machines. Yet, it became a reliable instrument used in numerous missions of intelligence collection and counter-terrorism.

On March 13, 2017, a month before EternalBlue was leaked, Microsoft patched the flaw. A large number of unpatched servers, however, still existed and were vulnerable to the exploit.

How does WannaCry ransomware spread?

WannaCry’s variant that incorporated the EternalBlue exploit first appeared at about 6 a.m. UTC on May 12, 2017, and quickly started circulating. Due to its ability to self-propagate and push itself through the network of an organization and then on to other entities via the Web, it was a novel and incredibly dangerous type of e-threat.

The ransomware used EternalBlue to spread to other machines on the local network until it placed itself on a computer. Besides, in an effort to locate other vulnerable devices, it tried to self-propagate throughout the Internet by analyzing random public IP addresses.

This aggressive dissemination process shows how certain organizations were highly influenced by WannaCry and how it managed to easily leap from one entity to another.

The malware also downloaded the DoublePulsar backdoor (part of the Shadow Brokers leak) following an infection. It was also stated that the malicious code aimed to use the DoublePulsar backdoor, which may have been mounted in a previous attack, even though the EternalBlue exploit failed. The vulnerability would enable the intruder to obtain remote access to the compromised device in order to flood the victim with additional malware or allow for data exfiltration.

WannaCry sought to contact a certain domain while it was activated on a machine. If the domain was inaccessible, it could continue to encrypt the files and try to distribute itself to other devices. Nonetheless, if the domain was reachable, the ransomware would not be downloaded.
...

Continue Reading