Eight things you should know about WannaCryptTuesday, May 16, 2017
Catastrophic, global ransomware attack closes hospitals and disrupts enterprise - eight things you need to know...
It was on a Friday in early May, when reports began to surface of a ‘cyber attack’, which rapidly escalated across 74 countries, infecting hospitals, major enterprises including Fedex, rail stations, universities, at least one national telco and government departments. Soon claims of diverted A&E patients, closed hospitals and general meltdown attracted the attention of international media, and one of the biggest and most public malware incidents of recent years was firmly underway.
One of the main political footballs of the attacks have become the damage done to the UK’s NHS, with around 16 NHS organizations, including several hospital trusts such as NHS Mid-Essex CCG and East and North Hertfordshire, experiencing system downtime due to the payload, a ransomware installer dubbed WannaCrypt. Here’s eight things you need to know:
1)There was no specific ‘attack’ as some of the more sensationalist media report, rather a scattergun phishing campaign, but one which used a worm as part of the payload, leading to widespread infection.
2) The NHS may not even have been initially targeted, but the vulnerability the malware exploits is present in older, unpatched versions of Windows. The vulnerability is in Microsoft's SMB file-sharing services, a bug designated MS17-010, which was patched in modern versions of Windows in March. The NHS is mainly running XP, which is no longer supported by Microsoft, although the Redmond giant has rallied around and released emergency security patches to defend against the malware for unsupported versions of Windows, such as XP and Server 2003. Microsoft’s full blogpost and mitigation links are here.
3) The ‘zero day’ exploit was patched weeks ago in fact, and was really a ‘zero day’ about two months ago. Originally an exploit developed by the NSA, dubbed ‘Eternal Blue’, the details of the then-zero day were leaked by the Shadow Brokers in Mid-April. As Ilia Kolochenko, CEO of web security firm, High-Tech Bridge said: “This incident exposes how a two-months old vulnerability can cause global panic and paralyze largest companies and governmental institutions on all continents. Worse, cybercriminals could easily release this worm just after the NSA's zeroday was leaked two months ago, and this would lead to much more destructive consequences.”
4)The reason the media hysteria feels a bit like the LoveBug/ILOVEYOU (c.2000) all over again is down to that worm element, working its way through internal networks. In fact, the malware combines several elements - two of the leaked NSA exploits, being Eternal Blue and Double Pulsar (a backdoor), which once successfully installed is used to download a ransomware package. If the Eternal Blue exploit fails, but the malware detects Double Pulsar is already present, it will use the backdoor to download the ransomware payload anyway.
5) There was a kill switch built into the original malware, like a plot from a 90’s cyber thriller, which was spotted and apparently accidentally activated by the owner of MalwareTechBlog, which initially halted the spread of the first strain. The researcher spotted a domain “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com” in the reverse-engineered binary that he simply registered. Each new infected system attempts an HTTP GET to this domain, and if it fails, continues to carry out the infection. However, if it succeeds, the malware exits. However, new variants without the kill switch have been rapidly created, probably by other actors keen to cash in.
6) The ransom for unlocking files was set pretty low by ransomware standards, at $300 of Bitcoin, but escalated if not paid, a relatively recent tactic to ratchet up the pressure on victims to pay up fast.
7) Estimates based on Bitcoin blockchain analysis (the method of paying the ransom) indicate that the hackers made approximately £12.5k from 70 transactions on one Bitcoin wallet alone before the original malware was stopped. Of course, the original attackers may have created a number of wallets to receive ransoms, so uncovering the total number is mainly guesswork.
8) AV giant Sophos was forced to row back from its original statement that "NHS is totally protected with Sophos" to the less committing "Sophos understands the security needs of the NHS" after the weekend’s events. The company tweeted a ‘how to prevent ransomware’ primer just hours before the attacks began.
Ilia Kolochenko summarised: “There is nothing new in this particular attack, and the main cause of the epidemic is our failure to adhere to cybersecurity fundamentals.
Many companies were infected because they failed to maintain a comprehensive inventory of their digital assets, and just forgot to patch some of their systems. Others omitted or unreasonably delayed security patches. Last, but not least, the malware's capacity of self-propagation leveraged the common lack of segregation and access control within corporate networks.
“Companies and organizations, having fallen victim to this attack, can consider contacting their legal departments to evaluate whether their IT contractors can be held liable for negligence and breach of duty. Failure to update production systems for over two months - can certainly qualify at least as carelessness in many jurisdictions.”