Abdulkerimu Oare
$24/hr
Tech Content Writer for Cybersecurity, MSSP, Cloud, SaaS & B2B
- Reply rate:
- -
- Availability:
- Full-time (40 hrs/wk)
- Age:
- 36 years old
- Location:
- Benin City, Edo State, Nigeria
- Experience:
- 7 years
WannaCry
In this day and age where we've never been more attached to our gadgets and computers,
imagine if your laptop was literally held to ransom? That's the reality thousands of
individuals and corporations woke up to on the 12th of May 2017 when a global malware
campaign called WannaCry (also called WCry or Wannacryptor) began.
This malware is a ransomware variant and some of its most notable victims are the United
Kingdom's National Health Service (NHS), Telefonica in Spain, Renault in France and
some Chinese universities. This article aims to reveal key details about this rapidly
growing malware threat and how to protect your computers from it.
How does WannaCry Operate?
Most malware attacks are focused on security vulnerabilities on computers and operating
systems and this one's no different. This malicious campaign is aimed at exploiting the
vulnerabilities of Microsoft's network file sharing SMB protocol and although an update had
long been released to address these concerns, computers that are yet to install this update
remain vulnerable to attacks.
Back in April 2017, several exploitation tools such as Fuzzbunch were released by an
online group called Shadow Brokers. This tool contained several exploitations that were
peculiar to the Windows Operating System such as EternalBlue and DoublePulsar. But
how do these tools relate to this attack you may be wondering. DoublePulsar is a backdoor
exploit that is very effective for distributing malware, sending out spam and launching
attacks.
It appears that WannaCry attacks are being carried out using Fuzzbunch's modules. More
information regarding these tools and modules can be found on this Radware's security
notification.
What does this Malware Attack do?
WannaCry is quite innovative in the way it gains access to a computer's network and
automatically spreads to other computers on the network. This is unlike other
Ransomware in the past that attempt to infect as many computers as possible
simultaneously. In order to execute successfully, this malware goes through the following
stages.
• Propagation: WCry scans for computers with port 445 and then uses the EternalBlue
tool to gain access and then releases the malware using DoublePulsar. It then searches
for nearby computers with similar vulnerabilities in a vicious cycle.
• Encryption: This involves the encryption of the computer files and is done at the initial
stages of the infection before any communication is sent out.
• Communication (TOR): This uses TOR technology and in embedded within the
Ransomware so there's no need to download additional executable files. This essentially
shares encryption keys with the C2 server.
• Spreading: After successful execution on one computer and checking the kill switch
domain, this malware launches another executable to scan through the IP addresses on
the network to find more vulnerable devices.
Can this Attack be stopped?
As expected with all Ransomware, this one has been designed to extort individuals and
the cost of regaining access to the computer is $300 which victims are instructed to pay
using Bitcoins. Whilst some victims have gone on to pay this cost, there is no record of any
who have successfully removed the malware from their systems by making payment.
However, when these recent attacks began, a U.K. based security researcher
(@MalwareTechBlog) stumbled upon a kill switch that helps stop the spread of certain
WannaCry campaigns. When a system is infected with this malware, it sends an HTTP
GET request to a hardcoded domain which is usually unregistered. If the request fails, the
attack commences a vicious cycle of infecting other computers on the network but in a
situation where the HTTP GET request successfully connects with the domain,
WannaCrypt will exit and not deploy any further attacks.
The U.K. based researcher after realising the kill switch domain quickly registered it and
redirected it to a sinkhole thereby bringing an end to this variant of the Ransomware. The
following are the kill switches that have been discovered so far.
• ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (@msuiche)
• iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (@MalwareTechBlog)
Tips for Staying Safe and Preventing this Attack
The best way of preventing virus and malware attacks is usually by keeping systems up to
date with the latest OS and software releases. This ensures that the computers are
running with the most up to date security programs and parameters. The following are the
main ways of preventing this attack and keeping computers and networks safe.
• Tip 1 - Install the following security updates: CVE-, CVE-,
CVE-, CVE-, CVE- and CVE-.
• Tip 2 - Disable Tor Communications to and from your computer.
• Tip 3 - Consider blocking port 445 for external communications on your network.
More preventive steps can be found in Radware's Security's May 2017 publication.
What does the future hold?
Just like computer viruses, ransomware attacks are likely to spring up every now and then
and regardless of their origin or intent, it is always best to prevent them before they occur.
Using the above steps are most likely to help reduce the chances of being successfully
attacked by this malware.
It is expected that going forward, security companies and would find better means of
keeping computers and networks protected whilst OS manufacturers would perhaps find
better ways of pushing out vital security updates to their users.
Are you affected?
If you've been affected directly by this attack, you may need to contact a security company
to assist you with finding a resolution. It is never advisable to pay up the ransom as it's no
guarantee for a fix so whatever you do, be IT smart.
