Ransomware is a type of malicious software that blocks access to the victim’s data or threatens to publish or delete it until a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash and Bitcoin are used for the ransoms, making tracing and procescuting the perpetrators difficult.
Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading, or opening when it arrives as an email attachment. However, one high profile example, the “WannaCry worm”, traveled automatically between computers without user interaction.
The WannaCry ransomware attack was a worldwide cyberattack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
WannaCry propagates using EternalBlue, an exploit of Windows’ Server Message Block (SMB) protocol. Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA) had discovered the vulnerability in the past, but used it to create an exploit for its own offensive work, rather than report it to Microsoft. It was only when the existence of this vulnerability was revealed by The Shadow Brokers that Microsoft became aware of the issue, and issued a “critical” security patch on 14 March 2017 to remove the underlying vulnerability on supported versions of Windows, though many organizations had not yet applied it.
Those still running older, unsupported versions of Microsoft Windows, such as Windows XP and Windows Server 2003, were initially at particular risk, but Microsoft released an emergency security patch for these platforms as well. Almost all victims of the cyberattack were running Windows 7, prompting a security researcher to argue that its effects on Windows XP users were “insignificant” in comparison.
The “payload” works in the same fashion as most modern ransomware: it finds and encrypts a range of data files, then displays a “ransom note” informing the user and demanding a payment in bitcoin. It is considered a network worm because it also includes a “transport” mechanism to automatically spread itself. This transport code scans for vulnerable systems, then uses the EternalBlue exploit to gain access, and the DoublePulsar tool to install and execute a copy of itself
The software contained a URL that, when discovered and registered by a security researcher to track activity from infected machines, was found to act as a “kill switch” that shut down the software before it executed its payload, stopping the spread of the ransomware.
The network infection vector, EternalBlue, was released by the hacker group called The Shadow Brokers on 8 April 2017, along with other tools apparently leaked from Equation Group, which is widely believed to be part of the United States National Security Agency.
EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. This Windows vulnerability was not a zero-day flaw, but one for which Microsoft had released a “critical” advisory, along with a security patch to fix the vulnerability two months before, on 14 March 2017.
What is Wanna Decryptor?
Wanna Decryptor, also known as WannaCry or wcry, is a specific ransomware program that locks all the data on a computer system and leaves the user with only two files: instructions on what to do next and the Wanna Decryptor program itself.
When the software is opened it tells computer users that their files have been encryted, and gives them a few days to pay up, warning that their files will otherwise be deleted. It demands payment in Bitcoin, gives instructions on how to buy it, and provides a Bitcoin address to send it to.
Most computer security companies have ransomware decryption tools that can bypass the software.
The ransomware campaign was unprecedented in scale according to Europol, which estimates that around 200,000 computers were infected across 150 countries. According to Kaspersky Lab, the four most affected countries were Russia, Ukraine, India and Taiwan.
Some of the more alarming estimates say ransomware infections are growing at a rate of 36 percent per year, with over 100 different strains of ransom virus currently active on the Internet. WannaCry is, by nearly universal acclamation, the largest ransomware heist ever recorded.
Some blame Microsoft for enabling this global ransomware attack with poor product design and for abandoning users running older versions of the Windows operating system. In particular, users of Windows XP, which Microsoft officially stopped supporting in 2014, were vulnerable to attack. The company provides very limited support to XP users who pay for special service, but no longer provides Windows XP patches to the general public. That means most of the world’s XP users had no idea they needed a security patch, and no way to get one if they were somehow aware of the WannaCry vulnerability.
Microsoft has said end users must take some responsibility for failing to install critical security patches. Some observers blame the slow rollout of security updates on corporate inertia – it can be difficult to get a large number of users in a network to install updates in a timely manner, let alone upgrade an entire corporation or government agency to upgrade to a new version of Windows. Also, some observers believe part of the problem is a sizable number of users run illegal or pirated copies of Windows, and cannot easily obtain security updates.
The “Shadow Brokers” disclosed the NSA code used in WannaCry. Several weeks ago, a hacker group called the Shadow Brokers published a set of powerful malware tools purportedly stolen from the NSA, generating considerable excitement in the hacking community. Russian cybercriminals and Chinese hackers buzzed about the possibility of using these tools to create a super-powerful ransomware virus in mid-April.
How to protect yourself against ransomware attacks
The best protection against ransomware attacks is to have all files backed up in a completely separate system. This means that if you suffer an attack you won’t lost any information to the hackers.
It is difficult to prevent determined hackers from launching a ransomware attack, but exercising caution can help. Cyber attackers need to download the malicious software onto a computer, phone or other connected device.
The most common ways of installing the virus are through compromised emails and websites.
For example, hackers could send an employee a phishing email that looks like it comes from their boss asking them to open a link. But it actually links to a malicious website that surreptitiously downloads the virus onto their computer.
Good password security is also important for defense against ransom attacks. Users often rely on a single password that isn’t difficult for hackers to guess, used on many different websites. If one of those sites is compromised, hackers may begin attempting to hit other online accounts with variations on the same password.
None of the exploits reported below are, in fact, zerodays that work against supported Microsoft products. Readers should read this update for further details. What follows is the post as it was originally reported.
Facts to know.
- Attack Reach: More than 45,000 attacks across more than 100 countries, according to Kaspersky Lab. Also, Avast saw 57,000 infections in 99 countries — including major hits in Russia, Ukraine and Taiwan, Reuters said.
- Major Victims: FedEx, Britain’s National Health Service and the Russian Interior Ministry, according to multiple reports.
- U.S. Relatively Unscathed: Only a small number of U.S.-headquartered organizations were hit because the hackers appear to have begun the campaign by targeting organizations in Europe, Symantec told Reuters. Consulting firms in the US, such as Compliancy Group, have reached out to VARs and MSPs to put them on alert about the attacks.
- The Security Hole: Hackers apparently exploited a Microsoft Windows flaw that was discovered earlier by the National Security Agency, The New York Times said.
- Ransomware Involved: It was a variant of WannaCry.
- The Microsoft Fix: Microsoft added detection and protection against Ransom:Win32.WannaCrypt, the company said today.
- Payment Demands: The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access, Reuters reported.
- Preventable Attack: If everyone just kept their boxes up to date we wouldn’t have the current viral conflagration, of course, but as usual that’s too much to ask, TechCrunch asserted.
- Curious Timing: The attacks arrived one day after President Trump signed a cybersecurity order that strives to lock down government systems.
- The Hackers: So far, their names are not known.
Kaspersky and Symantec both said on Monday that technical details within an early version of the WannaCry code are similar to code used in a 2015 backdoor created by the government-linked North Korean hackers, who were implicated in the 2014 attack on Sony Pictures and an $81m heist on a Bangladeshi bank in 2016. Lazarus Group has also been known to use and target Bitcoin in its hacking operations. The similarities were first spotted by Google security researcher Neal Mehta and echoed by other researchers including MatthieuSuiche from UAE-based Comae Technologies.