Dummies' Guide to WannaCry

The WannaCry cyber-attack has gripped news headlines around the world. In all over 200,000 machines were affected, 150 countries saw infections and organizations such as Renault, Nissan, FedEX and the NHS all fell victim.

What is WannaCry?

WannaCry is a virus from the ransomware family. Malware of this sort extorts money from victims by locking away files and personal data. To release the files, victims are instructed to pay a ransom.

The locking or kidnapping process generally relies on frighteningly complex cryptography. To release the locked files their owners need to undo the encryption with a mathematically generated key.

Is this a new type of attack?

No. The first recorded instance of a ransomware attack occurred back in 1989. The virus responsible had a fatal flaw though – the mathematical or cryptographic key needed to unlock the kidnapped files was contained within the virus code itself.

Analysts extracted the key, circulated it and a crisis was averted. The idea of ransomware was however firmly planted in the criminal psyche. Later evolutions of ransomware employed cryptographic techniques that enabled the bad guys to control the creation of mathematical release keys.

Bitcoin provided fuel to ransomware’s fire. Bitcoin is a completely digital currency. It’s not owned by anybody, it’s decentralized and there’s no central bank.

For criminals Bitcoin has a particular attraction: the system makes it hard – though not impossible – to track financial transactions. Using Bitcoin means criminals can control the income from ransom payments while maintaining some anonymity.

How common is ransomware?

Ransomware is now at epidemic proportions. According to Malwarebytes, ‘Nearly 80% of organizations have been the victim of a cyber-attack during the past 12 months and nearly 50 percent have been the victim of a ransomware attack.’

Why was the WannaCry attack so bad?

WannaCry, along with a very effective encryption or file locking mechanism, had the ability to infect systems with frightening efficiency.

When it encountered a new victim system it set about infecting other machines on the same network before going about its encryption tasks. To achieve this frightening rate of cross-network contamination, WannaCry employed a Windows exploit called EternalBlue.

To break into computers, EternalBlue relied on a flaw in various versions of Windows that let remote users take control of the infected victim PC. EternalBlue was developed – and kept secret by – the US National Security Agency (NSA). Rather than telling Microsoft about the flaw, the NSA kept the exploit quiet, doubtless hoping to use it in the future.

Unfortunately for the NSA - and for the rest of the world - EternalBlue was stolen by a hacker group called the Shadow Brokers. It then published the exploit online.

What did Microsoft know about all of this?

Back in March of this year Microsoft issued an update patch for its Windows operating systems and for Windows Server. It patched all operating systems bar Windows XP. Released back in 2001, sincw 2014 Microsoft has no longer actively supported Windows XP.

Sadly many organizations left themselves vulnerable to attack by WannaCry by either failing to run Microsoft’s patch or through using Windows XP machines. Microsoft has been very critical of the NSA stockpiling of exploits. It also released a security patch for Windows XP.

How did victims recover?

Victims of WannaCry – people who saw their data encrypted – had two options. One was to re-image their Windows systems and restore data from backups, or to pay the ransom.

Should I pay the ransom?

No. Police and security agencies warn computer users against paying ransoms. Paying encourages criminals to launch further attacks. As we’re dealing with criminals, it’s likely there will be a sting in the tail. In some ransomware attacks criminals don’t actually release the locked files after payment, or they simply delete the data.

It gets worse too. Often the initial virus attack that installs ransomware mechanisms onto a system also installs a back door. This backdoor can be used by criminals to re-infect the victim’s machine or to carry out other thefts and attacks. In the case of WannaCry there’s evidence that it did indeed install backdoors.

How much money did the criminals make?

Bitcoin wallets are open – you can see inside them. All you need to know is a wallet’s identifying number and WannaCry is hard linked to a few wallets. The Twitter bot @ransomtracker provides regular updates about the criminal’s potential takings – currently the total is just over $80,000 at the time of writing.

Sadly though you can’t tell easily who owns a wallet, and would you be brave enough to try and move the takings? Security professionals, police and secret services from around the world will be watching like hawks.

Who is responsible?

That’s a good question and one that’s being asked by governments around the world. Early analysis of WannaCry’s code suggests that the malware could have originated from North Korea.

Investigators have found similarities between sections of code used by the Korean Lazarus Group in its attacks and the programming in WannaCry. Not much is known about the group, but it’s thought to operate from inside North Korea. The group is also thought to be involved with the Sony Pictures hack of 2014.

What’s Hot on Infosecurity Magazine?