The wannacry ransomware attack of May 12th 2017 was devastating for a lot of organisations and institutions around the world.
It was and is the largest cyber-attack in history, with over 150 Countries affected, and hundreds of thousands of computers performing a variety of tasks, from banking to medical devices.
This page explains how the wannacry ransomware attack worked,and what could have been done to prevent it.
Ransomware is a form of malware that extorts money from victims by encrypting their data files. It does not discriminate between which files are locked away (encrypted), so at best you lose access to something meaningless, or at worst, your very sensitive information such as medical records.
To release or decrypt the data files, the victim is ordered to pay a ransom. The ransom demanded is usually in Bitcoin currency (Opens New Window).
Bitcoin is a decentralised digital currency with no central bank. It is an attractive method of payment for cyber criminals because of the difficulty authorities have in tracing who is collecting the victim’s ransom payments on the Dark Web.
The dark web has gained notoriety as a place where lots of illegal activity takes place. It s only accessible via the ToR browser (The Onion Ring).
The visible internet that is accessible via Google and other search engines is approximately 4% of the World Wide Web.
The wannacry ransomware attack is classed as zero-day attack. This means antivirus companies were unaware of the malware and were unable to detect and remove until after the damage was already done.
There are two parts to this ransomware - the worm (propagation) and the ransom (payment):-
The WannaCry worm element checks computers for a vulnerability or flaw in SMB, or the Service Messaging Block (SMB).
SMB is a method of communication that enables computers to talk to shared file locations and shared devices such as. The means of communication is called a Port. SMB uses port number 445.
A computer that has the flaw is then exploited by EternalBlue. This is a method developed to fool a computer into accepting the worm’s computer code.
WannaCry's computer code included a backdoor tool called a DoublePulsar. A backdoor tool is a means of bypassing a computers security mechanism.
The DoublePulsar ultimately enables the Ransom part of the virus to be loaded and facilitates further attacks from criminals to re-infect machines with their own Ransomware variants.
A combination of the flaw, the exploit and the tool enabled WannaCry to move through across the world, infecting other vulnerable machines and encrypting data.
Users do not notice anything is wrong until the
Ransomware message appears on screen.
Ransomware cyber criminals are under no obligation to unlock your files even if the ransom is paid, and even if they are unlocked there is no guarantee the files will not be corrupted. Never pay the ransom!
Fortunately a Cyber Security expert called ‘MalwareTech’ identified and enabled a Kill Switch for WannaCry.
This was done by registering a web address that triggers the WannaCry payload in to shutting down as this triggers interrogation conditions typically used by IT security experts, this stopping the wannacry ransomware attack from spreading.
Kill Switches do not prevent infected machine from encrypting, but do prevent other machines that are vulnerable from being infected, assuming these machines can ‘see’ the web address.
Microsoft released a security patch for the SMB flaw on the 14th March 2017. However this only applied to supported Operating Systems.
Microsoft took the unusual step of releasing out of bound patches for legacy operating systems such as Widows XP. These were made available 24-36 hours after the WannaCry ransomware attack started to gain traction across the mainstream media.
If organisations across the globe such as Telefonica in Spain, Car Manufacturers and even the Russian Interior Ministry, had applied the patch successfully on supported operating systems when it was released by Microsoft, the overall impact of WannaCry would have been negligible.
Instead organisations lost money, consumers lost data, and the IT industry wasted a lot of time recovering from this, just to get back to where they were on Thursday 11th May 2017.
Modern ransomware attacks are sophisticated and the frequency in whcih they are being created and released is increasing. Within a few days of the WannaCry attack, two variants were
released by hackers.
There is estimated to be at least 4000 ransomware attacks taking place each day somewhere
across the world, and over 18 million types of ransomware in existence.
Anti-virus suppliers do not have the ability to identify and prevent infection from all types of virus or malware. Microsoft does not have the ability to identify and write security patches for all flaws in their software.
In addition, if the NSA and other government agencies are unable to trace or catch the perpetrators of such attacks, then we are all subject to increased risk, especiallyin the era of Big Data (Opens New Window) and the Internet of Things (IoT) (Opens New Window).
WannaCry locked data and extort money from victims. However ransomware can also be written to steal data and send it to the criminals, who can subsequently release it in the public domain if the ransom is not paid.
There is clearly a growing threat. Ransomware sophistication is set to increase, and with more devices being connected to the Internet, the risk of a re-occurrence and subsequent impact is higher than ever.
The next Ransomware attack could strike at any time, and be more devastating than WannaCry. You have been warned!