By now you may have heard about the WannaCry/WannaCrypt ransomware attacks plaguing Windows users across Europe. Ransomware is usually not a huge problem, but this week’s attack affected a number of vital institutions across Europe including hospitals, car manufacturers, airlines, telecom giants, and even energy companies.
This quickly turned into a huge problem for many, but how did it spread so quickly? Unlike common phishing techniques that redirect users to phishing sites via fraudulent links or emails, the WannaCry randomware program took advantage of an exploit in various versions of Microsoft Windows.
How it works
WannaCry/WannaCrypt/WanaCrypt0r 2.0/Wanna Decryptor actually uses a leaked NSA hacking tool called DoublePulsar (part of the EternalBlue exploit), which exploits a vulnerability in Microsoft’s file sharing protocol Server Message Block (SMB). SMB is enabled by default on all Windows machines, making it an easy protocol for mass attacks.
The hackers search for servers running unpatched versions of SMBv1 and use the DoublePulsar injection tool to open up a backdoor to deliver the WannaCry program. Oddly enough, Microsoft issued a fix (MS17-010) for this on March 14th, exactly two months ago.
However, systems running Windows XP, Windows 2003, and Windows 8 (not 8.1) initially did not benefit from this patch as they are no longer supported by Microsoft, but a patch was issued for these systems a few days ago to help curb the fast spread of WannaCry.
While many may have an issue with Windows 10 and its forced updates, this is one time we can say it definitely paid off.
Once the WannaCry script gets through the backdoor, it runs a program called tasksche.exe and scans the system for as many connected hard drives, removable disc drives, and network drives, in an effort to encrypt as many files with a 2048-bit RSA encryption key. WannaCry also attempts to automatically spread itself to as many vulnerable networks and machines as possible.
Besides targeting new networks, it also tries to spread itself across LANs, and given that it’s using SMB to do so, firewalls are pretty much useless as it already has its foot inside the door.
The first versions of WannaCry contained a “killswitch”, which was basically a randomly typed domain that the program searches for. If the domain resolves, the program would simply exit, but if it could not find the domain, it would then execute its encryption directives.
Once the program reached the encryption stage, it would let users know that their data is encrypted, and that they would have to fork up $300 within 3 days to decrypt it. Should they fail to do so, the figure would double to $600. From then, they would have just one week again to pay up or face the risk of their data being deleted.
Users would have to pay via one of at least 3 Bitcoin wallets to have their files released. In total, the hackers have already received about $33,000 in funds from users attacked by the ransomware.
It should be noted that payment for decryption will not result in the removal of the DoublePulsar backdoor, meaning that the same exploit could be taken advantage off in a different form in the future.
It was discovered that the killswitch was just an unregistered domain name (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) that was randomly typed in in plain text within the code. The domain was intentionally not registered so that the script would be unable to resolve it so it could execute the encryption routine.
My guess is hackers assumed that even if security experts figured out that a domain name would have to be used as the killswitch, they would be unable to quickly determine what was in time to prevent a mass spread.
The coincidental discovery of this domain appears to have been the result of a bug in the program, allowing MalwareTech to register it, significantly slowing further spread of the script. That gave security companies and Microsoft a good head start to analyze the situation and issue the relevant warnings and patches.
How to avoid it
The long and short is that whether you’re a home user or manage servers, you should always keep your systems up to date. If you’re still running older versions of Windows (XP, 2003, or 8), it’s time to consider switching to something that Microsoft supports to avoid problems like this.
Unfortunately for many large institutions though, a simple upgrade may not always be the answer as 3rd party software needed to carry out various tasks on the job may not be compatible with newer versions of Windows, so maybe there needs to be a more collaborative effort between MS and these developers.
Microsoft has addressed the WannaCry issue directly, so if you have fallen prey to this attack (even on older systems), check out this blog post for more details on how to clean your system.
Here’s a video I found demonstrating the program in action.