WannaCry Post-mortem: Ransomware Attacks like These Will Only Become Larger and More Frequent

Starting on May 12th a strain of ransomware cryptoworm known as WannaCry (also WannaCrypt) began exploiting a vulnerability in the Windows Operating system to encrypt data and demand ransom payments. WannaCry quickly became the largest ransomware attack ever recorded and between May 12th and May 17th, managed to infect over 230,000 computers in more than 150 countries. Although the original WannaCry attack has been stopped by the discovery of a kill switch, several new versions of WannaCry have already been detected and more broadly, this event has highlighted how underprepared and unprotected most companies are when it comes to cybercrime. In the wake of such an attack, it’s important to examine how and why it happened as well as what we can do to prevent similar events in the future.


 How does it work?

The reason that WannaCry was so much more effective than any other ransomware strain to come before it is that it doesn’t rely on social engineering (where a user is tricked into clicking on a link or file, usually via a phishing email) to spread. WannaCry gains access to a system via a vulnerable SMB  (server message block) port on unpatched Windows operating systems known as EternalBlue. Once infected, the ransomware is not immediately executed but instead, scans for other vulnerable PCs on the local system as well as executing enormous scans for random IP addresses on the wider internet, and then uses a worm-like functionality to spread to these other systems.

To execute the ransomware on the original system, the dropper (the program that installs the ransomware) attempts to connect with an unregistered domain and when it fails to connect, the ransomware begins to encrypt the system.


Why did it happen?

EternalBlue was a well-known vulnerability which had previously been collected as a hacking tool by the United States National Security Agency (hacking tools are collected by many government agencies for use in the case of cyberwarfare) before being leaked and then released in early April by The Shadow Brokers, a well-known hacking group. Microsoft patched the SMB vulnerability (known formally as MS17-010) in a security update back in March, but lax patching practices and the use of unsupported Windows versions (versions for which Microsoft no longer releases security updates) meant that hundreds of thousands of users had vulnerable systems.


Is it fixed?

The original version of WannaCry which caused so much initial mayhem was stopped by a 22-year-old security researcher calling themselves Malware Tech who accidentally found what is known as a kill switch. Whilst examining the malware’s code, the researcher noticed that the dropper was attempting to connect with an unregistered website before executing the ransomware. He registered the site for a mere £10 and then found that once the dropper could successfully connect with the site, it didn’t execute or spread.

Microsoft also took an unusual step by releasing security patches fixing the SMB flaw for unsupported Windows versions including Windows XP, Vista and Windows 8 as well as Server 2003 and 2008.

The combination of these two events means that it’s now possible for all Windows operating systems to patch this SMB vulnerability and that the original version of WannaCry is no longer able to spread or execute.


Am I safe?

Although the original version of WannaCry has now been rendered toothless by the accidental kill switch, it’s incredibly easy for attackers to slightly vary the malware code and start again. In fact, new versions of the ransomware were detected as early as May 14 and there are now several different variations of WannaCry which bypass the kill switch. In addition to this, as WannaCry is a single, executable file, it can be spread like traditional ransomware through social engineering methods.

In addition to this, WannaCry has proven that the ransomware cryptoworm hybrid is a highly effective and lucrative form of cyberattack, and will doubtlessly inspire a wave of similar malware.

So no, organisations are not safe from WannaCry or other ransomware cryptoworms just because a security researcher stumbled across a kill switch. If anything, the WannaCry attack marks the beginning of a new age of cybercrime, where large scale attacks are commonplace and no network, no matter how small, is secure.


How do I protect my organisation from WannaCry and similar attacks?

Relying on IT industry professionals to stop cyberattacks on a case by case basis is risky, unsustainable, and irresponsible from a business continuity perspective. Instead, organisations need to become proactive about network security by putting in place prevention measures and investing in proper backup protocols. Below are six key steps which every organisation should take to protect themselves from cyberattacks like WannaCry.

1.     Be proactive about patching

Don’t be complacent when it comes to patching practices. Organisations currently using an unsupported Windows OS should not rely on Microsoft to release a vulnerability specific security patch every time a large scale cyberattack takes place (this was a highly unusual step for Microsoft to take and is unlikely to be repeated) and need to invest in a supported version of Windows.

Organisations currently using a supported version of Windows, or any other operating system for that matter should use the WannaCry event as a wakeup call and be fastidious about keeping their systems up to date by installing security patches as soon as they are released.

 2.     Disable SMBv1

This step relates specifically to WannaCry but it’s an important step to take even if you have installed the patches, as new versions of the ransomware are being released every day. SMBv1 is enabled by default on Windows and can be manually disabled with the following steps:

  • Open Programs in the Windows Control Panel
  • Open Features and then select Turn Windows Features On and Off
  • Scroll down to find SMB 1.0/CIFS File Sharing Support and deselect it
  • Click OK then restart the computer to finalise the changes

If you need to keep SMBv1 enabled, then modify you firewall configurations to block access to SMB ports over the internet.

3.     Install a unified threat management firewall

Keeping your firewall enabled at all times is a given, but for those wishing to significantly limit the chance malware has to access a system, we recommend investing in the next generation of firewall technology known as a unified threat management firewall. This is a security product which integrates multiple security functions including network firewalling, data loss prevention, load balancing, VPN, content filtering, gateway anti-spam, gateway anti-virus network intrusion detection/prevention and on-appliance reporting. In the context of WannaCry, a network protected by a UTM firewall would be protected from infection as it only allows remote access via a secure SSLVPN connection, which the ransomware does not have.

 4.     Invest in strong Anti-Spam platforms

Most types of ransomware and some of the newer versions of WannaCry rely on social engineering tactics (phishing emails, third party apps and programs, malicious advertisements on legitimate websites) to spread and execute. To minimise endpoint users exposure to these vectors it’s important to have a strong anti-spam platform that includes features such as a whitelist/blacklist, subject and/or content filters, virus detection, auto-spam detection, email recovery and quarantine. These filters should be paired with rigorous and frequent user education so that endpoint users are better positioned to recognise and flag suspicious emails and documents if they should bypass the anti-spam platform.

 5.     Advanced Anti-virus protection

Most reputable antivirus vendors have already added a detection capability to prevent installations from malicious applications (like WannaCry) secretly running in the background. Indeed, investing in quality antivirus software from an established and reputable vendor is an essential part of protecting your network. Not only are anti-virus vendors highly responsive when a new form of malware emerges, their quality products will protect your network from threats on a daily basis. A quality anti-virus product should:

  • Have a comprehensive range of scanning features (emergency diskettes, auto protection, compressed file scanning, taskbased scanning, download and email scanning, boot sector scanning, scanning before startups, heuristic scanning, scan scheduling, scan reports and logs, and a variety of scanning options),
  •  Be able to recover infected files
  • Be able to detect both compressed and uncompressed viruses,
  • Have fast, light updates and not take up a lot of system resources
  • Be user friendly

 6.     Multilayered IT security strategy

As cybercrime continues to evolve, it’s imperative that organisations have a multifaceted network security strategy to protect their data assets and ensure business continuity. To be truly effective, a network security strategy should contain five key elements including

  • An actionable plan also known as a disaster recovery plan or business continuity planning. This plan should identify vulnerabilities, develop risk mitigation solutions, and have a worst case scenario plan to minimise downtime in the event of an attack.
  • Multiple layers of protection including a firewall, anti-virus and antispam.
  • Schedule regular audits to identify vulnerabilities as they emerge and perform maintenance tasks such as software updating and patching immediately to mitigate risk.
  • Regular staff education to minimise the likelihood that endpoint users will fall victim to social engineering tactics as well as to ensure they have a firm grasp on company security protocols.
  • Secure offsite backup which not only regularly backs up all data, but also stores a copy of all network configurations to ensure that if there is an attack on the network, comprehensive backup is readily available and your business can be back up and running in hours, not days.


UPDATE: WannaCry 2.0 is wreaking havoc

As we predicted earlier in this blog, newer versions of WannaCry have already been released and work exactly the same way as the original WannaCry, but without a kill switch. Engineers at Kaspersky lab have identified several new strains from copycat hackers which do not have a kill switch and are spreading rapidly through unpatched systems. If you still have not installed the Windows security patch on your system, we urge you to do it immediately.

AWD are proud to say that none of our clients were affected by the WannaCry attack and this is in part, due to the advanced and comprehensive IT security solutions that we design, implement and manage. If you’re a Melbourne based business owner who is unsure about your network security in the wake of the WannaCry attacks, don’t risk your data assets and business continuity by remaining complacent. Get updated and be protected by calling us on 1300 855 651.

Enquire about our IT services today.