WannaCry is a name that made many cry in frustration this weekend, and the danger is still not over.
The first onslaught
According to Europol director Rob Wainwright, over 200,000 victims in at least 150 countries have had their files encrypted by the WannaCry (aka Wanna Decryptor) ransomware/worm.
The number would have been even higher, but a security researcher reverse-engineered a sample of the malware, found in its code a non-existent, hard-coded domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) that each installed malware instance tries to contact, and registered it.
With this move he inadvertently stopped the situation from becoming even worse, as the malware does not spring into action if it manages to contact the domain.
The researcher believes that the goal of this domain check was for the malware to detect whether it is being run in a sandbox.
“In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered,” he explained.
After this revelation came another one: security researcher Didier Stevens found that the domain check is not proxy-aware, meaning that the worm will still work on any system that uses a proxy to access the Internet.
How WannaCry spreads
Analysis of the various WannaCry samples security researchers got their hands on revealed that some samples are ransomware combined with a worm-like spreading mechanism, which in part explains how the malware was able to spread so fast.
The other part of the equation is the use of the EternalBlue exploit. Leaked by the Shadow Brokers, and believed to have been created by the NSA, the exploit can compromise unpatched Windows by exploiting vulnerabilities in Microsoft Windows SMB Server.
The vulnerabilities in question were patched in March by Microsoft, but the company only provided patches for supported versions of the Windows OS (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016).
In light of this attack, Microsoft pushed out a patch for Windows XP, Windows 8, and Windows Server 2003 on Friday.
Many security researchers are feverishly analyzing new variants of the malware found in the wild. So far there is another one with a new “kill-switch” (the new domain has already been registered by researcher Matt Suiche), and another one with no kill-switch, which spreads, but does not encrypt files because the ransomware archive is corrupted.
“The fact [that] I registered the new kill-switch today to block the new waves of attacks is only a temporarily relief which does not resolve the real issue,” Suiche noted. “[The real issue] is that many companies and critical infrastructures are still dependent on legacy and out of support Operating Systems.”
He expects the attackers to come up with a working variant with no kill-switch very soon.
Who’s behind WannaCry?
So far, the crooks behind this scheme have received ransoms in the amount of 20 bitcoins (around $35,000) in total on three different bitcoin addresses. But, as researcher Troy Hunt noted, that number could well go up.
“Regardless of the kill switch, many machines remain infected and if there’s a 3-day window of payment before the cost escalates, you’d expect plenty of people to be holding off for a bit,” he pointed out.
Who is behind this attack is still unknown. Europol is working with affected countries cybercrime units and industry partners to mitigate the threat and assist victims. They are also working with the FBI on uncovering the criminals.
Elliptic, a Bitcoin intelligence firm that works with law enforcement, told The Daily Mail that the attackers are yet to withdraw any funds from the aforementioned bitcoin addresses, so there has been no opportunity to trace them that way.
What can you do?
“System administrators and security personal could use this weekend to take prevention, detection and response measures. If everyone comes back in the office by Monday and a new wave of phishing attacks would start, without a kill-switch, the damage could be far less than expected at this stage,” Fox-IT researchers noted, and added that the cyber criminals behind the attack will surely learn from their mistake.
They also pointed out that “machines that have been patched are not vulnerable to the exploit, but could still be infected through other infection methods such as phishing emails.”
The initial infection vector is still unknown, although many believe that phishing emails are it. It’s also possible there are multiple infection vectors.
In any case, organizations are advised to:
- Implement the necessary patches as soon as possible. This step is crucial, also because other criminals could start exploiting the same flaw at any given time – the EternalBlue exploit is out, and ready to be used.
- Disable SMBv1
- Consider adding a rule on their router or firewall to block incoming traffic on SMB and RDP ports
- Isolate unpatched systems from the internal network
- Make back-ups (and check that they can be restored!)
- Warn employees to be extra watchful about phishing emails.
US-CERT offers more extensive advice against defending against ransomware generally, and recommended steps for remediation for those who have been affected. Microsoft also offered advice on protecting systems against this threat.
Victims should know that it is currently impossible to decrypt files encrypted by WannaCry, and there is no guarantee they will receive the decryption key even if they pay the ransom.
Several security companies have released tools (1, 2) for preventing the WannaCry ransomware from running on computers it may land on.
Malwarebytes’ Zammis Clark warns that any system that has been affected will also sport the DoublePulsar backdoor, which can be detected and removed with this script.