WannaCry, Wanna Decryptor, WannaCrypt – whatever it’s referred to, the ransomware involved in the recent NHS computer hack is, by and large, the same bitcoin-demanding beast. Here we explain everything we know about the worm that caused global chaos.
WannaCry is a so-called encryption-based ransomware also known as Wanna Decryptor or WCRY, Travis Farral, director of security strategy for Anomali told WIRED.
Live tracker reveals how much NHS hackers are making from their ransomware demands
It encrypts users files using AES and RSA encryption ciphers meaning the hackers can directly decrypt system files using a unique decryption key.
In previous WannaCry ransomware attacks, victims have been sent ransom notes with “instructions” in the form of !Please Read Me!.txt files, linking to ways of contacting the hackers. WannaCry changes the computer’s wallpaper with messages asking the victim to download the ransomware from Dropbox before demanding hundreds in bitcoin to work.
Put more simply, once inside the system WannaCry ransomware creates encrypted copies of specific file types before deleting the originals, leaving the victims with the encrypted copies, which can’t be accessed without a decryption key. WannaCry additionally increases the ransom amount, and threatens loss of data, at a predetermined time, creating a sense of urgency and greatly improving the chances victims will pay the ransom.
It is unclear how the WannaCry ransomware infected the NHS systems, but it can spread through phishing emails or via a website containing a malicious program. Security experts involved in the NHS computer hack have scanned email networks of those trusts affected and found no evidence of a spear phishing campaign.
Instead, researchers from various security firms including Avast, Proofpoint and Symantec said WannaCry most likely spread via an exploit used by the Equation Group – a group widely suspected of being tied to the NSA.
How is the NSA involved?
For several months, the Shadow Brokers hacking group, which obtained files from the NSA, has been releasing parts of the agency’s hacking tools.
As well as the WannaCry ransomware being seen in the UK, it has appeared in hundreds of countries around the world. CCN-CERT, the Spanish computer emergency response organisation, issued an alert saying it had seen a “massive attack of ransomware” from WannaCry.
The vulnerability (MS17-010) is linked to Microsoft machines and can affect Windows Vista, 7, 8, 10, XP and versions of the Windows Server software. Microsoft initially announced the vulnerability on March 14 and recommended users patch their devices.
Has Microsoft fixed the latest problem?
Microsoft fixed MS17-010 in its March release but it is likely organisations affected did not patch their devices before the spread of the malware.
Hacking the hackers: everything you need to know about Shadow Brokers’ attack on the NSA
As reported by Ars Technica, and other organisations, MS17-010, also known as “EternalBlue,” was linked to the Shadowbrokers group.
Following the global attack, Microsoft took the unusual step of issuing a fix for versions of Windows it had previously “retired”; those no longer supported by the company. This included Windows XP. Windows XP is still in use on PCs, including many used by the NHS, leaving users exposed. Anyone using Windows XP should update their system to the latest version as soon as possible.
In a statement, Microsoft’s president and chief legal officer Brad Smith said this attack “provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.”
“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” he continued. “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. This most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organised criminal action.”
How did the WannaCry ransomware spread?
The analysis from Proofpoint, Symantec and Kaspersky found evidence that seemingly confirmed the WannaCry ransomware was spread via Microsoft’s SMB flaw. This system is used to share files between computers typically on closed networks but can be exploited if one computer is connected to a public network. Malwarebytes has a detailed technical analysis of how the WannaCry ransomware typically spreads.
Is there a way to stop its spread?
Despite the global spread of WannaCry, there has been an ‘accidental’ slow down in the continued amount of infections. Within the malware’s code is a long URL that effectively acts as a ‘kill switch’. Security researcher Marcus Hutchins, who posts on Twitter under @malwaretechblog, discovered the domain name when inspecting the malware’s code and registered it with internet services.
During its execution, the malicious code would look up the domain name and only continue to work if it wasn’t live; once the domain name was activated and detected by Wanna Decryptor it would stop spreading. The researcher behind the discovery said he was not certain at the time that buying the domain name would slow the spread.
While the registering of the domain name was too late for those who have already been infected with the malware but the activation of the kill switch helped to slow its spread. There is, however, the possibility that different variants of the malware (with different kill switches) exist or could further be developed by attackers.
Getting your files back
At last year’s WIRED Security conference, negotiator Moty Cristal explained ransomware can be easily bought on the darknet, which makes these kinds of attacks common: according to security firm Malwarebytes, 40 per cent of companies worldwide have been targeted by it as of August 2016.
When ransomware is involved, Cristal said, “managing the human factor is key to overcoming a cyber crisis.”
“[Hackers] are serious, professional people with a criminal code of ethics”. This means negotiations are key to getting files back. “60 per cent of negotiation failures can be attributed to the gap between the negotiator and the decision maker,” continued Cristal.
“On the bright side, it’s easy to protect yourself: when you have a very structured discipline of data backup it’s easy to deal with ransomware.” Otherwise, paying is often the only way out. Ransomware criminals tend to de-encrypt data after payments; still, that comes at a cost. “If you pay, you’ll enter a sort of blacklist of people who pay and can be targeted again,” said Cristal, “The thought process is that once you pay you’ll always pay.”
More recently, Cristal wrote that the NHS hack wasn’t about making money. It was about disgruntled hackers making a point, whether that’s for political reasons or for other, unknown grievances.
How to protect yourself from WannaCry ransomware?
Avast said it detects all known versions of WanaCrypt0r 2.0, as do other anti-virus software.
Viruses, trojans, malware, worms – what’s the difference?
The safest way to protect yourself is to avoid clicking links from unknown sources. Security experts have strongly recommended all Windows users fully update their system with the latest available patches.
“It is critical you install all available OS updates to prevent getting exploited by the MS17-010 vulnerability,” added Malwarebytes. Any systems running a Windows version that did not receive a patch for this vulnerability should be removed from all networks.
Additionally, any systems affected by this attack will have DOUBLEPULSAR installed and this will need to be removed. Certain anti-virus software, including Malwarebytes, are protected from this backdoor but script is also available that can remotely detect and remove it.
It is also possible to disable the SMB1 file protocol, which the worm within the malware was using to spread across networks.
Want to know more about the cyber threats of the future? WIRED Security 2017 returns to London in on September 28 to discuss the latest innovations, trends and threats in enterprise cyber defence, security intelligence and cybersecurity. Join us at King’s Place by booking your tickets today.