The WannaCry / Wcry / WannaCrypt attack
Six months ago I had a talk with Fabio Viggiani about the development of ransomware and we made an educated guess about the next big type of ransomware attack to be CRYPTOWORMS!
The last few days many of us witnessed how a major ransomware attack affected many organizations across the world. Telefonica in Spain, theNational Health Service in the UK, and FedEx in the US are some tom mentions among many many more. The responsible for this attack was reported to be a ransomware variant known as ‘WannaCry’.
The malware has the ability to spread to other system by scanning a attacking the Server Message Block/SMB protocol resulting in a worm behavior. Once the malware has a foothold on a system it used different techniques to persist on that host. The WannaCry malware appeared to primarily use the ETERNALBLUE modules for the initial exploitation of the SMB vulnerability addressed as part of Microsoft Security Bulletin MS17-010. If successful it then used the DOUBLEPULSAR backdoor to install the ransomware.
The domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – a “randomly” human-typed address primarily consists of keys in the top row of the keyboard, was observed in the malware code as a kill switch. If the malware could establish communication with the mentioned domain, it would stop but because the domain wasn’t registered, it continued to execute. A researcher worked out what was going on and simply registered the domain name and activated the kill switch!
In this particular case, the foremost reason for the success of “WannaCry” was because many didn’t upgrade or patch things. Reports started talking about the malware hitting machines as old as Windows XP and Windows 2003! Once infected other problems started to appear. Many affected individuals and organisations had no proper backups to recover from the ransomware.
At this point many affected entities are in the clean-up phase of the “WannaCry” story. Vendors and security professionals are helping out with patches, signatures, detection tools, removal tools, damage assessment and recommendations. The bigger lesson remains that we need to reinforce proper security focus and measures such as:
- Keep systems current and supported
- Apply and verify patches early
- Establish robust backups and recovery procedures
- Lock down and harden machines
- Conduct least privilege and protect administrative provileges
- Don’t open suspicious emails or attachments
- Restrict access to network resources
- Block unnecessary ports and implement host-based firewalls
- Enhance you ability to detect attacks
- Ensure you have the tools to perform incident response
- Establish strategies to inform users
These recommendations and many more discussions and security features and strategies are discussed as part of my Windows Cyber Security Road Trip. The class offers a detailed description and demonstrations of current risks and how to mitigate these risks using modern tools, features and strategies in the most current versions of Windows 10 and Windows Server 2016.