This post is supported by Penta Security.
You may have heard about WannaCry, the malware that caused a not-insubstantial amount of havoc around the world at locations such as the computers on the National Health Service (NHS) network in the UK and at as many as 50,000 locations – and counting.
As the dust settles, we look at the latest updates to examine what is the fuss all about, and how does it work under the hood. Importantly, what are some lessons that all of us can draw from this malware outbreak?
What’s the hoo-ha about?
WannaCry’s main claim to fame revolves around the fact that it is a highly infectious ransomware. For the uninitiated, a ransomware is a type of malicious software designed specifically to block access to the data on a PC until a sum of money is paid. This is achieved by surreptitiously encrypting data files on the infected computer and demanding a payment for the decryption key needed to recover them.
Source: portal gda / Flickr
Unlike earlier versions of ransomware which were plagued with flaws or weaknesses in their implementation that allowed encrypted files to be recovered, WannaCry has proven to be a model implementation. While the latest analysis reveals that it may be possible to recover the key on computers running Windows XP, this is contingent upon the victim’s computer not being switched off after infection.
The rapid spread of WannaCry could be attributed to how it leverages the local network to spread by exploiting a security vulnerability in a network file sharing protocol originating from the Windows platform called SMB, or Server Message Block. This method allows an infected machine to infect other vulnerable, but otherwise healthy PCs on the local network without requiring any interaction from users.
Fortunately, the malware can’t circumvent the Internet by itself, and is likely spread by phishing and spear-phishing methods designed to trick users into downloading and launching the executable file. Of course, most if not all antimalware software should detect it by now, so a successful infection by this method should become increasingly rare.
The origins of WannaCry
According to reports, the first version was spotted as early as February, with a second wave of attacks spotted on March. The current wave that caught the news world wide is the deadliest yet due to its ability to self-propagate, and is apparently available in 28 different languages.
Security researchers say that the original security exploit that underpinned WannaCry is called “EternalBlue” and came from a group widely suspected of developing hacking tools for the NSA. An unaffiliated group of hackers managed to steal EternalBlue (and a bunch of other tools) which was subsequently published online. The creators of WannaCry likely took it, and modified it for use in WannaCry.
It is worth pointing out that the SMB vulnerability was patched by Microsoft in March, which means that the very public NHS meltdown is likely due to the use of vulnerable Windows XP machines, or the result of unpatched Windows PCs.
For now, the origins of the group who created WannaCry remain elusive, though the latest analysis revolving around the ransom demand in WannaCry suggests the hackers being it are either native Chinese, or at least fluent in the language. I agree with this assertion, though I would point out that this is likely the work of cybercriminals as opposed to state-sponsored hackers.
Lessons for the rest of us
What are some lessons that we can learn from the saga, even if we are unaffected by it?
- Never take security for granted
Without trying to sound like a broken record, all the traditional advice of patching one’s PC, or even installing an antimalware software (A small percentage were apparently protected by their antimalware software) could have protected a PC from infection. There is no greater danger than a “it can’t happen to me” attitude as users opt for convenience over taking the right steps to protect themselves and their data from theft or loss.
- Establish multiple level of defenses
The days where organizations can depend on perimeter defenses alone are long gone. WannaCry could conceivably circumvent the most intelligent and powerful firewalls through a laptop infected at home or in a hotel, and then plugged into the corporate network. Extrapolating from there, it means that IT managers and administrators must ensure that multiple levels of safeguards are in place, starting from corporate website, and all the way down to individual computers.
- Learn to recognize phishing
While WannaCry’s ability to infect other nodes on local networks was probably what allowed it to spread so fast, a phishing or spear-phishing attack was likely what kicked off the original infection. Indeed, given the many outbreaks of WannaCry in different parts of the globe and on completely disparate networks, it is a near-certainty that multiple attacks were deliberately launched by the creators of the malware as they seek profit.
Ultimately, the security threatscape is one that is constantly evolving. It pays to stay vigilant and stay on your guard.