Sunday, May 14, 2017

Massive Ransomware Cyberattack

WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting Microsoft Windows. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages. The attack spreads by multiple methods, including phishing emails and on unpatched systems as a computer worm. The attack has been described by Europol as unprecedented in scale.

                                             Countries initially affected
The attack affected Telefónica and several other large companies in Spain, as well as parts of Britain's National Health Service (NHS), FedEx, Deutsche Bahn and LATAM Airlines. Other targets in at least 99 countries were also reported to have been attacked around the same time.

WannaCry is believed to use the EternalBlue exploit, which was developed by the U.S. National Security Agency (NSA) to attack computers running Microsoft Windows operating systems. Although a patch to remove the underlying vulnerability for supported systems (Windows Vista and later operating systems) had been issued on 14 March 2017, delays in applying security updates and lack of support by Microsoft of legacy versions of Windows left many users vulnerable. Due to the scale of the attack, to deal with the unsupported Windows systems and in an effort to contain the spread of the ransomware, Microsoft has taken the unusual step of releasing updates for all older unsupported operating systems from Windows XP onwards.

Shortly after the attack began a researcher found an effective kill switch, which prevented many new infections, and allowed time to patch systems. This greatly slowed the spread. It was later reported that new versions that lack the kill switch were detected.  Computer security experts also warn of a second wave of the attack due to such variants and the beginning of the new workweek.


The purported infection vector, EternalBlue, was released by the hacker group The Shadow Brokers on 14 April 2017, along with other tools apparently leaked from Equation Group, believed to be part of the United States National Security Agency.

EternalBlue exploits vulnerability MS17-010 in Microsoft's implementation of the Server Message Block (SMB) protocol. Microsoft had released a "Critical" advisory, along with an update patch to plug the vulnerability a month before, on 14 March 2017. This patch fixed several workstation versions of the Microsoft Windows operating system, including Windows Vista and Windows 8.1, as well as server and embedded versions such as Windows Server 2008 and Windows Embedded POSReady 2009 respectively, but not the older Windows XP, according to Microsoft.

Starting from 21 April 2017, security researchers started reporting that computers with the DOUBLEPULSAR backdoor installed were in the tens of thousands. By April 25, reports estimated the number of infected computers to be up to several hundred thousands, with numbers varying between 55,000 to nearly 200,000, growing everyday.


On 12 May 2017, WannaCry began affecting computers worldwide. The initial infection might have been either through a vulnerability in the network defenses or a very well-crafted spear phishing attack. When executed, the malware first checks the "kill switch" domain name. If it is not found, then the ransomware encrypts the computer's data, then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet, and "laterally" to computers on the same local area network (LAN). As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of around $300 in bitcoin within three days or $600 within seven days.

The Windows vulnerability is not a zero-day flaw, but one for which Microsoft had made available a security patch on 14 March 2017, nearly two months before the attack. The patch was to the Server Message Block (SMB) protocol used by Windows. Organizations that lacked this security patch were affected for this reason, although there is so far no evidence that any were specifically targeted by the ransomware developers. Any organization still running the older Windows XP was at particularly high risk because until 13 May, no security patches had been released since April 2014. Following the attack, Microsoft released a security patch for Windows XP.

According to Wired, affected systems will also have had the DOUBLEPULSAR backdoor installed; this will also need to be removed when systems are decrypted.

No comments:

Post a Comment