Friday is typically a day when everyone’s thought is on the weekend; time to relax, time to escape from work for a precious two days. Friday 12th May 2017 was not one of those days, that Friday the RansomWare game was changed, enter “WannaCry”.
As this particular Friday unraveled computer systems around the world were being taken down; from Telefonica in Spain, the NHS in the UK and FedEx in the US, my own first thoughts when I saw on the news that the NHS was facing major systems outages due to a new RansomWare strain was first “oh great another variant” and second “I wonder how it got in a spread so quickly, it almost looks like a coordinated attack given how much of the NHS has been hit”. Quickly news started to spread about it and the name was out for this new malware “WannaCry” (also known as “WCry” and “WannaDecrypt0r”) and by the evening everyone had heard of it.
WannaCry is just the payload, once that payload is delivered the target system is encrypted and a message is displayed ordering you to pay to get your files back, so the payload itself is a pretty standard form of RansomWare. The intriguing part is the delivery system which makes use of the EternalBlue exploit from the NSA toolkit released last month, via this exploit the payload can then be spread to nearly any Windows devices on the same network as the infected machine. The EternalBlue exploit allows the malware the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, it compromises hosts, encrypting the files stored on them and then demanding a ransom payment in the form of Bitcoin all the while scanning and spreading more allowing the payload to spread quickly around the network with no admin credentials required. An important note to make is that the malware is not just able to spread via internal networks but also externally facing hosts across the internet.
WannaCry primarily utilizes the EternalBlue exploit but is also used in conjunction with the DoublePulsar backdoor. EternalBlue is utilized for the initial exploitation of the SMB vulnerability, if successful then the DoublePulsar backdoor is implanted which in turn is used to install the malware. Microsoft had released security patches for all Operating Systems currently in support and extended support, these were released back in March although this resolves the ExternalBlue exploit this does not necessarily mean you are protected as WannaCry is designed so that if the EternalBlue exploit fails it will proceed and check if the target already has the DoublePulsar back-door installed. This could have been installed prior to the patch by another hacker, even the NSA since this was originally part of their hacking toolkit before ShadowBrokers publicly released it.
On Friday evening the first variant was halted by a British security researcher MalwareTechBlog who after analyzing some of the code found it pointed to an unregistered domain (iuqerfsodp9ifjaposdfjhgosurij
Throughout the weekend Security Researchers have been working to get hold of some of the samples to break them down and understand them, one researcher from France who uses the twitter handle @benkow_ discovered a new variant, WannaCrypt0r 2.0, he in turn sent it onto anothe IT Security Researcher Matthieu Suiche for an in-depth analysis. Upon analyzing, Matthieu discovered a kill-switch again but this one linked to another domain (ifferfsodp9ifjaposdfjhgosurij
Working with MalwareTech, Matthieu transferred this additional domain to MalwareTech’s sinkhole, to which MalwareTech posted the below to Twitter.
Earlier I thought “it’s not over” and it appears I might be right, the predictions that the fast-spreading WannaCry RansomWare would quickly evolve to get around its domain-based kill switch were everywhere, and, well… the predictions are starting to come true, we are already seeing reports of different domain names being used and a few where researchers have claimed to have found some without any kill-switch whatsoever, (these researchers have since back tracked and it looks like they might have not been using a fresh sample from the wild). I still believe that the kill-switch will be removed, it might not be done by the original creators but by a copycat group but the exploits and code is out there so its just a matter of time.
The taking down of these kill-switches is just a temporary measure; one should expect new variants released and as such security measure should be implemented now to prevent falling victim later.
- Do not open an unknown email
- Do not download files from an unknown email
- Do not click files from an unknown email
- Avoid visiting malicious sites
- Do not download software and apps from a third-party store/website
- Enable “Show hidden file extensions” and only open a file if its the extension you expect
- Apply any pending software updates and keep them up-to date
- Make sure you are using a reputable security suite/Anti-Virus
- Back up your data on a regular basis
- Use System Restore to get back to a known-clean state
What additional steps Microsoft users should take?
Microsoft Windows is the ultimate target of this cyber attack since WannaCry exploits a security flaw within the SMB protocol, to mitigate the risk patch MS17-010 should be applied urgently if not already applied, to aid in this please find below the direct links to each download from Microsoft: