In this day and age where we’ve never been more attached to our gadgets and computers, imagine if your laptop was literally held ransom? That’s the reality thousands of individuals and corporations woke up to on the May 12th, 2017 when a global malware campaign, called WannaCry (also called WCry or Wannacryptor), began.
This malware is a ransomware variant, and some of its most notable victims are the United Kingdom’s National Health Service (NHS), Telefonica in Spain, Renault in France and some Chinese universities. This article aims to reveal key details about this rapidly growing malware threat and how to protect your computers from it.
How does WannaCry Operate?
Most malware attacks are focused on security vulnerabilities on computers and operating systems and this one is no different. This malicious campaign is aimed at exploiting the vulnerabilities of Microsoft’s network file sharing SMB protocol and although an update had long been released to address these concerns, computers that are yet to install this update remain vulnerable to attacks.
Back in April 2017, several exploitation tools such as Fuzzbunch were released by an online group called Shadow Brokers. This tool contained several exploitations that were peculiar to the Windows Operating System such as EternalBlue and DoublePulsar. But how do these tools relate to this attack you may be wondering. DoublePulsar is a backdoor exploit that is very effective for distributing malware, sending out spam and launching attacks. It appears that WannaCry attacks are being carried out using Fuzzbunch’s modules.
What does this Malware Attack do?
WannaCry is quite innovative in the way it gains access to a computer’s network and automatically spreads to other computers on the network. This is unlike other Ransomware in the past that attempt to infect as many computers as possible simultaneously. In order to execute successfully, this malware goes through the following stages.
- Propagation: WCry scans for computers with port 445 and then uses the EternalBlue tool to gain access and then releases the malware using DoublePulsar. It then searches for nearby computers with similar vulnerabilities in a vicious cycle.
- Encryption: This involves the encryption of the computer files and is done at the initial stages of the infection before any communication is sent out.
- Communication (TOR): This uses TOR technology and in embedded within the Ransomware so there’s no need to download additional executable files. This essentially shares encryption keys with the C2 server.
- Spreading: After successful execution on one computer and checking the kill switch domain, this malware launches another executable to scan through the IP addresses on the network to find more vulnerable devices.
Can this Attack be stopped?
As expected with all Ransomware, this one has been designed to extort individuals and the cost of regaining access to the computer is $300, which victims are instructed to pay using Bitcoins. While some victims have gone on to pay this cost, there is no record of any who have successfully removed the malware from their systems by making payment.
However, when these recent attacks began, a U.K. based security researcher (@MalwareTechBlog) stumbled upon a kill switch that helps stop the spread of certain WannaCry campaigns. When a system is infected with this malware, it sends an HTTP GET request to a hardcoded domain which is usually unregistered. If the request fails, the attack commences a vicious cycle of infecting other computers on the network but in a situation where the HTTP GET request successfully connects with the domain, WannaCrypt will exit and not deploy any further attacks.
The U.K. based researcher, after realizing the kill switch domain quickly registered it, redirected it to a sinkhole thereby bringing an end to this variant of the Ransomware. The following are the kill switches that have been discovered so far.
- ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (@msuiche)
- iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (@MalwareTechBlog)
Tips for Staying Safe and Preventing this Attack
The best way of preventing virus and malware attacks is usually by keeping systems up to date with the latest OS and software releases. This ensures that the computers are running with the most up to date security programs and parameters. The following are the main ways of preventing this attack and keeping computers and networks safe.
- Tip 1 – Install the following security updates: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147 and CVE-2017-0148.
- Tip 2 – Disable Tor Communications to and from your computer.
- Tip 3 – Consider blocking port 445 for external communications on your network.
What does the future hold?
Just like computer viruses, ransomware attacks are likely to spring up every now and then and regardless of their origin or intent, it is always best to prevent them before they occur. Using the above steps are most likely to help reduce the chances of being successfully attacked by this malware.
It is expected that going forward, security companies and would find better means of keeping computers and networks protected whilst OS manufacturers would perhaps find better ways of pushing out vital security updates to their users.
Are you affected?
If you’ve been affected directly by this attack, you may need to contact a security company to assist you with finding a resolution. It is never advisable to pay up the ransom as it’s no guarantee for a fix so whatever you do, be IT smart.
Do YOU have security concerns? Contact us!