WannaCry – How A Minor Bug became One of the Biggest Ransomware Attacks?
From a Microsoft vulnerability detected by the National Security Agency to one of the biggest cyber-attacks. Here is all you need to know about WannaCry, the ransomware that affected over 200,000 computers, in 150 countries, in 3 days.
What Is WannaCry?
WannaCry was a ransomware that exploited the vulnerability in Windows and locked down systems across the globe. Those affected by WannaCry were locked out of their devices and had to pay an amount of US $ 300 in bit coins to access their file.
It spread via SMB and through EternalBlue and installed the backdoor payload known as DoublePulsar, which lets your device, be remotely controlled.
This is what it looked like.
How Did It Happen?
- The National Security Agency detected a vulnerability in Microsoft and wrote an exploit – EternalBlue.
- Microsoft releases patches in March once the vulnerabilities were disclosed.
- 4 weeks later Shadow Brokers released the codes for EternalBlue online.
- The actual attack started on Friday, May 12, 2017, which spread to 150 countries.
- The attack came to a halt on Friday afternoon. However, there have been copycats springing up every now and then.
How Did It Get So Big?
WannaCry spread like a wildfire the moment it originated.
It appears that the primary attack vector was through email attachments. Once it was in the system, it leveraged the SMB exploit and found its way around unpatched computers. Combined with a self-replicating payload it had the ability to spread and infect vulnerable machines on the network.
It did not discriminate; from huge organisation to hospitals, it did not stop anywhere. It got to Health authorities in Britain, Canada, Indonesia and Slovakia; Government Offices in India and Russia; and major corporations like FedEx, Nissan, and Hitachi, among many others. The remediation expenses came up to a billion dollars and disrupted businesses and organisations worldwide. Malware attacks could not get more serious than this.
Who Did It?
Connections to WannaCry have been tracked to the hacker group Lazarus (responsible for hacking Sony Pictures Entertainment 2014). This theory came into being after Google Security Researcher Neel Mehta tweeted similarities between the code, software, and tools used in the WannaCry attack and the Lazarus group.
However, it’s just a theory for now and is far from conclusive, as no ‘hard’ facts have been presented. The possibility is being worked on.
Is It Over?
It may have halted, but it’s not over yet.
The initial attack ended accidentally on Friday i.e., 12 May, when an IT security professional who goes by the alias MalwareTech took control of a domain name that was hard coded into the self-replicating exploit that the authors knew to be unregistered. It was created to ping a specific unregistered domain, which if returned anything but a DNS error would consider it under scrutiny and shut down to avoid further investigations. MalwareTech accidentally figured that the domain name functioned as a kill-switch.
Here’s How You Can Prevent Future ‘Wannacry’s’?
Your computer is protected if it has installed all the updates and runs on Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016.
- Download Microsoft’s Emergency Patch immediately if you use Windows XP, Windows 8 and Server 20003. You can figure out the version by following these steps. Start Menu => Control Panel => System. You should reach a page that displays your operating system information.
- Install all the system updates that have been marked important.
You can do this by opening the ‘Start Menu’. Then type ‘Windows Update’ and select it. Follow the instruction on screen to successfully install it.
- Disable the SMB File Sharing Protocol if not required.
- Your OS and software need to be regularly updated with the patches for newly discovered vulnerabilities.
- This one is an age-old advice – keep away from strange links and attachments. Especially, Microsoft email attachments that ask you to enable macros. If you think, it is not from a genuine source. “Do not enable macros”.
- Keep a backup of your data at all times. For corporations, it is advisable to have offline storage as well, that are far from the reach of hackers.
- Cloud storage can help lessen the risk of an infection. As most of them, retain previous file versions.
This week’s temporary glitch was a quite a revelation. Here is a link by Tenable http://www.tenable.com/blog/wannacry-three-actions-you-can-take-right-now-to-prevent-ransomware? that helps you determine whether your organisation is exposed.