#wanncry has been big news over the weekend so I thought I would note down what #wannacry is and my thoughts on this.
The wannacry was a global ransomware attack but not like we have seen before, yes it delivered a ransomware payload but the way it delivered this required no input or mistakes from end users such as clicking an email, link etc.
Wannacry encrypted end users files with the extension .WCRY and locked users out of their files, this results in a pop up screen in a HTML such as the one at the header of this blog, with a timer requesting that users pay a $600 bitcoin payment in to a wallet which then will use bitcoin mixing to mask the identity and not raise suspicions with wallets with a large amount of coins.
What stands out for me with this was two things 1) the delivery mechanism 2) the scale of this attack. Lets take scale first
- Scale, this was a global attack and unlike we have seen before it even targeted Russia where commonly ransomware will check its configuration file not to attack certain countries. It also surfaced in major organisations such as FedEx, NHS, Telefonica, Renault, Deutsche Bahn, Nissan and the list is growing. Since this went public on the 12th May reports are still coming in on this. All in all 200,000 attacks in 150 countries were affected by this ransomware, which is an attack I certainly have not seen on this scale before. To put this in to context Cerber-6 which was prolific at the end of 2016 and start of 2017 was averaging around 56,000 attacks a month, so the scale is huge in such a short time.
- What is notable about this attack was the way it was delivered. It is initiated through an SMBv2 remote code execution in Microsoft Windows (Windows XP through to Windows server 2012), this was a vulnerability (MS-17-010) named “Eternal Blue” which was patched by Microsoft on the 14th of April 2017. The attack centered on organisations who had not patched this vulnerability and an exploit kit took advantage of this. Unlike previous remote access I have seen such as ransom.sam.sam Wannacry was automated, it not only infected that end user terminal but sought to seek across their networks and infect as much as possible. It delivered this by exploiting exposed SMB services from Windows computers and deploying its MEM:Trojan. Due to this vulnerability flaw it allowed an automated entry to huge amounts of computers and their networks hence the scale of the attack. It is this that stands out for me, normally ransomware is initiated by a user un-knowingly and the result while devastating is usually confined to one company at a time who were the unfortunate victim of a malware / exploit kit sent out via many of the large botnets such as Necurus. Once the Trojan is on the network it can spread and begin encrypting files, as we have seen from most ransomware such as Cerber-6 ransomware is becoming more sophisticated, it can detect sandbox & virtual environments, wannacry was no exception with the list of files it can encrypt including
- Commonly used office extensions (.ppt, .doc, .docx, .xlsx)
- Archive files, media (.zip, .tar, .rar, .bz2, .mp4 .mkv)
- Emails and databases (.eml, .msg, .ost, .pst, .edb, .sql, .mdb, .dbf, .odb, .myd)
- Dev source code (.php, .java, .cpp, .pas, .asm)
- Encryption keys and certificates .key, .pfx, .pem, .p12, .csr .aes.)
- Virtual machine files (.vmx, .vmdk, .vdi)
Due to the sheer scale of this attack and the fact it was automated through a vulnerability in SMBv2, over the weekend we have seen many companies shutting down services and taking measures to ensure they are not infected. For reference the Microsoft patch is MS17-010.
As common with most ransomware (Cerber-6 aside) it communicates to a Command & Control server hidden on the TOR network to get encryption keys and begin the process of encryption. Again as we have seen in sophisticated ransomware attacks it can bypass Windows UAC, delete VSS copies, and uses Mutex in explorer.exe to spawn several threads so it can execute quicker. Although it has not been stated the Strings and API’s ransomware uses are often called from an encrypted line in the code so any security technology does not pick them up.
“I will do an indepth post on Cerber-6 to demo the sophistication of ransomware today”
As of now companies will be going through their security tools and understanding what has been infected, what has the potential to be infected, patching the SMBv2 vulnerability and recovering from backup, it does not show a sign of slowing down, even at the time of writing more attacks have been confirmed.
So who was responsible for this? Given that the calculated return on this attack has ONLY generated $40,000 over 1.3 million infected machines it would state to me that this attack has not been as profitable as once imagined. Yes it caused worldwide crisis and pressure on governments and NSA, but that may have been what was intended? I cannot help but think, if money was the priority here then smaller focused attacks would have been more profitable.
Certainly from this I think this is a huge wake up call to companies to review how they patch, protect, limit & recover data from the spread of such viruses in their environments. Since I have been speaking, writing about ransomware over the last 2 years it has always been an end user or fairly isolated case where ransomware attacked, this global scale attack to me looks like a demonstration of what can be done, especially now RaaS (Ransomware as a service) is so freely available (60% profits for distributors) the developer community among hacking groups for this can push out 1000’s of variants each designed to thwart a companies defenses.
Kaspersky, Symantec, Malwarebytes and Sophos will be busy writing up their security labs analysis of this code, and this is a great place to start understanding what this code can do and factor in how you can prevent this.
Thanks for reading, please share, like & comment, all facts are up to date as of today, given the evolving nature of this I expect them to change and more revelations of how it works to come out, I will re-post as I see these.