The WannaCry ransomware attack from May 12 -16 was largest computer virus attack in history. An estimated 200,000 systems in 150 different nations were infected in less than 48 hours. The resulting damage worldwide from lost data and downtime could be as much as $4 billion.
Cybersecurity experts estimated Tuesday, more than four days after the attacks began, up to 1.3 million computers were still at risk from this computer worm that encrypts important files on a computer, and refuses to restore them unless a ransom is paid. Experts warn that this is just the beginning of the new era of global hacking attacks.
Initial success against the WannaCry worm by anti-virus companies has been short-lived. Already, more variants of this ransomware are spreading through the Internet and infecting computers. What makes these new viruses so effective is the incorporation of stolen NSA hacking tools into their code.
What Is The WannaCry Hack?
The Wannacry ransomware worm infects a computer, then runs an encryption program to scramble up to 176 different types of files. These files can only be unlocked with a special program owned by the hackers.
Owners of compromised computers were ordered to pay a $300 ransom in bitcoins to get the hackers to unencrypt the files that were “taken hostage”. If the victim did not paid the ransom within three days, the cost doubled to $600. The hackers threatened that they would leave the files encrypted and unrecoverable forever if the ransom had not been paid after seven days.
How Does the WannaCry Ransomware Work?
At first, network security experts believed that WannaCry was initially spread by a “Trojan Horse” -style email attachment. Once a user clicks on these email “bombs”, it infects their computer. The ransomware then searches for other computers on the same network, and infects those as well.
However, once malware experts dissected the WannaCry worm, they found that it was using a Microsoft file sharing protocol instead. Named Server Message Block (SMB), it allowed the hackers to simply run automatic scans, looking for computers connected to the Internet that were vulnerable to this exploit. Once it silently infected that first computer, the virus quickly used SMB to spread to all susceptible computers on the network with no one knowing.
A New And “Improved” Ransomware Virus
This vulnerability of Windows computers and servers to hackers was first revealed when a precursor to WannaCry, called WeCry, was discovered on infected computers in February.
Microsoft quickly devised a critical security patch (MS17-010), rolling it out on March 14. At that time, the company strongly urged all Windows users to install the patch before SMB exploits became more widespread.
On April 14, the hacking collective known as The Shadow Brokers released a suite of powerful hacking tools it said were stolen from the National Security Agency (NSA). One of these, named ETERNALBLUE, was used two weeks later by the WannaCry programmers to take advantage of the SMB exploit on computers that had not been updated with the March security patch.
“We Got Lucky”
Experts say that the damage from WannaCry could have been far, far worse, if a young antivirus tech had not noticed a bit of code buried deep in the worm. These instructions sent a request to a particular web domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com). The tech found that this domain did not exist, so he registered it in hopes it would allow him to better track the virus.
What happened was that the WannaCry attack was stopped cold. The domain had been set up by the original virus programmers as a “kill switch.” Before a copy of WannaCry encrypted the files of the computer it had infected, it checked to see if the domain referenced in its code existed. If it did, the program shut down before activating its payload.
New Versions of WannaCry Already Out
Even before the discovery of the kill switch on the original WannaCry ransomware, copycats were already rushing their own variants out onto the Internet. Most of these failed to gain much traction, as thousands more computers had been patched to remove the SMB exploit. Some of these new versions of WannaCry had not even removed the “domain kill switch”, making it an easy task to shut them down as well.
Even so, new versions of WannaCry with the kill switch disabled were already circulating on the same day as the original attack. Luckily, these versions were unable to find anywhere near the number of exposed computers that the first version had, thanks to IT departments working overtime to close SMB security holes.
Running XP Is Just Asking For Trouble
Introduced in 2001, Windows XP had its last security patch issued in 2014. Windows Server 2003 and Windows 8.0 are also no longer supported by Microsoft. Since the life-cycle of these operating systems has ended, new security fixes are not written for them.
The WannaCry ransomware worm has spread further and faster than any malware previously encountered, due to companies “saving money” by not upgrading their software, or simply neglecting to apply important security updates. The scope of the WannaCry attack led Microsoft to issue an emergency security patch for Windows XP and these other outdated operating systems.
This does not mean Mircosoft will resume support for these discontinued versions of Windows. With the exposure WannaCry has gotten, hackers of all levels of skill will be rushing to use similar stolen NSA hacking resources to exploit security holes in older versions of Windows.
Governments in emerging markets, as well as China and Russia, are notorious for using pirated copies of Windows in government and the private sector. These systems obviously cannot connect to Microsoft for security updates, even if they are (illegal) copies of current versions of Windows.
This is why Russia was one of the countries hardest hit by the WannaCry worm. China escaped the brunt of Friday’s attack despite being a notorious user of pirated software, as the work week had already ended in Asia when the ransomware was released.
With possibly millions of computers worldwide still using Windows XP or pirated operating systems, malware like WannaCry will have an easy time of spreading. More than ever, businesses are urged to protect themselves by upgrading their computers to a supported version of Windows.
Even having the newest version of Windows will not protect you if you do not keep it updated. Microsoft said that computers running Windows 10 were not targeted by THIS VERSION of WannaCry ransomware, but there is no guarantee that one of the many copycat versions of this virus currently circulating aren’t doing so.
Windows versions that are protected by the MS17-010 patch are: Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2012, Windows 10, and Windows Server 2016. If you have not run the March critical security update, do so immediately!
Not The Fastest CPU In The Server Farm?
One thing that has been puzzling cybersecurity experts is just how clumsily the WannaCry ransomware worm was coded. It seems that portions of different programs were cobbled together, and ended up working better than expected. The apparent original hackers released a second copy of WannaCry as soon as news broke that their first version had been stopped. However, it seems that they just replaced the kill switch URL with another one, which was quickly noted and activated by cybersecurity engineers.
Besides the glaring fault of including a simple kill switch, the original WannaCry code contains portions of the ETERNALBLUE exploit and code from malware used by the Lazarus Group.
The lack of sophistication of the worm, and the presence of Lazarus Group code, have some experts looking at North Korea as the home of the WannaCry hackers. The Lazarus Group have been linked to the North Korean security apparatus, but are known for more professionally written malware.
In comparison to the multi-million dollar hacks by Lazarus, the WannaCry hackers have seen only a few tens of thousands of dollars of ransom paid. Compounding their problems, they can’t even access the bitcoin that has been paid, as security agencies around the world are waiting to track withdrawals from the accounts.
These are mistakes that more savvy hackers do not make. One example was the ransomware injected into the network of Hollywood Presbyterian Medical Center in February. The hacker demanded and received a ransom of 40 bitcoins (~$17,000) before relinquishing control of the hospital’s computers.
Or, Just Wanting To Watch The World Burn
This has led some observers to wonder if the “ransom” part of the WannaCry ransomware was just a cover for unleashing a virulent computer virus onto the world just to see what would happen. The speed, breadth, and level of disruption from this infection would be valuable knowledge for a state actor (such as North Korea) in planning more sophisticated attacks.
This line of thought is reinforced by the fact that the worm was released on a Friday, giving companies an entire weekend to harden their defenses before workers showed up Monday and began triggering infections.
One unexpected development that prevented the WannaCry attack from being far worse than it was, had to do with computers that were already infected by another group of hackers, which was also using stolen NSA crypto-weaponry.
This group was compromising computers by installing the DOUBLEPULSAR backdoor, which is another stolen NSA hack that was distributed by The Shadow Brokers. DOUBLEPULSAR is a sophisticated exploit that literally creates a “back door” into a computer so hackers can install whatever malicious code they desire: even turning computers into mining bots to harvest cryptocurrencies.
What DOUBLEPULSAR does is shut down communications over TCP port 445 – the same port WannaCry uses to infect computers. This means that separate group of hackers accidentally played a role in preventing the WannaCry ransomware attack from being worse.
One sobering thought is that experts believe that this DOUBLEPULSAR hacking group has managed to infect many more computers than the WannaCry hackers. These earlier hacks have mostly been unnoticed for two reasons: Firstly, the SMB exploit is plugged by the code, preventing more overt viruses from revealing that the host computer has been compromised. Secondly, since the bot code is “only” stealing processing power and bandwidth from the infected computer, months could pass before anyone notices the program.
Don’t Pay That Ransom!
Authorities urge companies and private users to NOT pay the ransom the hacker demands for unencrypting your files. For one reason, you’re engaging with a criminal that had no scruples in attacking you in the first place. There is zero guarantee that they will honor their side of the bargain, and restore your files.
Another reason is the danger that the hackers are simple “script kiddies” who downloaded a ready-to-go virus, and have absolutely no knowledge at all on how to reverse the encryption.
A third reason is that law enforcement may be staking out the digital wallets the hackers set up to collect ransoms, like they are doing in the WannaCry case. This means your money will never be claimed, and you will never get your files restored. It also means that YOU can’t recover the unclaimed money either, losing both your files and your money.
The opinions and forecasts herein are provided solely for informational purposes, and should not be used or construed as an offer, solicitation, or recommendation to buy or sell any product.