Postmortem: WannaCry Ransomware Explained

Uploaded on 2017-10-27 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

WannaCry is a ransomware worm that spread rapidly through across a number of computer networks in May of 2017.

After infecting Windows computer, it encrypts files on the PC's hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them.

A number of factors made the initial spread of WannaCry particularly noteworthy: it struck a number of important and high-profile systems, including many in Britain's National Health Service.

It also exploited a Windows vulnerability that was suspected to have been first discovered by the United States National Security Agency; and it was tentatively linked by Symantec and other security researchers to the Lazarus Group, a cybercrime organisation that may be connected to the North Korean government.

What is WannaCry Ransomware?

The WannaCry ransomware consists of multiple components. It arrives on the infected computer in the form of a dropper, a self-contained program that extracts the other application components embedded within itself.

Those components include:

  • An application that encrypts and decrypts data
  • Files containing encryption keys
  • A copy of Tor

The program code is not obfuscated and was relatively easy for security pros to analyze. Once launched, WannaCry tries to access a hard-coded URL (the so-called kill switch); if it can't, it proceeds to search for and encrypt files in a slew of important formats, ranging from Microsoft Office files to MP3s and MKVs, leaving them inaccessible to the user. It then displays a ransom notice, demanding $300 in Bitcoin to decrypt the files.

How does WannaCry infect PCs?

The attack vector for WannaCry is more interesting than the ransomware itself. The vulnerability WannaCry exploits lies in the Windows implementation of the Server Message Block (SMB) protocol. The SMB protocol helps various nodes on a network communicate, and Microsoft's implementation could be tricked by specially crafted packets into executing arbitrary code.

It is believed that the US National Security Agency discovered this vulnerability and, rather than reporting it to the infosec community, developed code to exploit it, called EternalBlue.

This exploit was in turn stolen by a hacking group known as the Shadow Brokers, who released it obfuscated in a seemingly political Medium post on April 8, 2017.

Microsoft itself had discovered the vulnerability a month prior and had released a patch, but many systems remained vulnerable, and WannaCry, which used EternalBlue to infect computers, began spreading rapidly on May 12. In the wake of the outbreak, Microsoft slammed the US government for not having shared its knowledge of the vulnerability sooner.

Even if a PC has been successfully infected, WannaCry won't necessarily begin encrypting files. That's because, as noted above, it first tries to access a very long, gibberish URL before going to work. If it can access that domain, WannaCry shuts itself down.

It's not entirely clear what the purpose of this functionality is. Some researchers believed this was supposed to be a means for the malware's creators to pull the plug on the attack. However, Marcus Hutchins, the British security researcher who discovered that WannaCry was attempting to contact this URL, believes it was meant to make analysis of the code more difficult.

Many researchers will run malware in a "sandbox" environment, from within which any URL or IP address will appear reachable; by hard-coding into WannaCry an attempt to contact a nonsense URL that wasn't actually expected to exist, its creators hoped to ensure that the malware wouldn't go through its paces for researchers to watch.

Hutchins not only discovered the hard-coded URL but paid $10.96 to register the domain and set up a site there, thus helping blunt, though not stop, the spread of the malware. Shortly after being hailed as a hero for this, Hutchins was arrested for supposedly developing different malware in 2014. He has proclaimed his innocence.

WannaCry Patch

Ironically, the patch needed to prevent WannaCry infections was actually available before the attack began: Microsoft Security Bulletin MS17-010, released on March 14, 2017, updated the Windows implementation of the SMB protocol to prevent infection via EternalBlue.

However, despite the fact that Microsoft had flagged the patch as critical, many systems were still unpatched as of May of 2017 when WannaCry began its rapid spread.

For those unpatched systems that are infected, there is little remedy beyond restoring files from a safe backup, so let that be a lesson that you should always back up your files. While those monitoring the bitcoin wallets identified in the extortion message say that some people are paying the ransom, there's little evidence that they're regaining access to their files.

WannaCry and Windows 10

As noted, Microsoft released a patch for the SMB vulnerability that WannaCry exploits two months before the attack began. While unpatched Windows 10 systems were vulnerable, the automatic update feature built into the OS meant that almost all Windows 10 systems were protected by May of 2017.

The Microsoft SMB patch was initially only available for currently supported versions of Windows, which notably excluded Windows XP.

There are still millions of internet-connected Windows XP systems out there, including at Britain's National Health Service, where many WannaCry attacks were reported, and Microsoft eventually made the SMB patch available for older versions of the OS as well.

However, a later analysis found that the vast majority of WannaCry infections struck machines running Windows 7, an operating system Microsoft does still support.

Symantec fingers the Lazarus Group

After the initial dust settled, various security researchers began working to try to figure out the origins of WannaCry. Symantec had a provocative take: they believed that the code might have a North Korean origin. They laid out the evidence in a blog post, where they discussed a little-known fact: that WannaCry had actually been circulating for months before it exploded across the Internet on May 12, 2017.

This earlier version of the malware, dubbed Ransom. Wannacry, used stolen credentials to launch targeted attacks, and there were "substantial commonalities in the tools, techniques and infrastructure used by the attackers” between this version of WannaCry and those used by the Lazarus Group.

The Lazarus Group in turn is a hacking group that has been tied to North Korea. Beginning their run in 2009 with crude DDoS attacks on South Korean government computers, they've become increasingly sophisticated, hacking Sony and pulling off bank heists.

On the other hand, without an explicit claim of responsibility, it's impossible to know for sure that either the initial wave of WannaCry attacks or the later EternalBlue-driven explosion was directed by North Korea, since malware code is copied liberally by various groups.

WannaCry News

While the initial furor of WannaCry developments have subsided as most computers receive the necessary patches, there are still new developments.

CSO

You Mighht Also Read:

WannaCry Drives Cyber Insurance:

Cyber Attacks Demonstrate  Why The Cloud Is Safer:

« Innovation in Cloud-Based Video Analytics
Facial Recognition Works on iPhone X. Sometimes. »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Information Commissioner's Office (ICO)

Information Commissioner's Office (ICO)

The Information Commissioner's Office is an independent authority set up to uphold information rights in the public interest.

Axial

Axial

Axial Systems is one of the UK’s leading solution providers and systems integrators in network, security and services.

Planit Testing

Planit Testing

Planit is a leader in Quality Assurance and a specialist in software testing and training services.

Parsons

Parsons

Parsons has developed a converged security offering that combines cybersecurity, integrated network solutions, and critical infrastructure protection.

Teramind

Teramind

Teramind provides a user-centric security approach to monitor employee behavior in order to identify suspicious activity, detect possible threats, monitor efficiency, and ensure industry compliance.

Cybercrime Support Network (CSN)

Cybercrime Support Network (CSN)

CSN is a public-private, nonprofit collaboration created to meet the challenges facing millions of individuals and businesses affected each and every day by cybercrime.

Assystem

Assystem

Assystem delivers a comprehensive security approach for the industrial and service sectors that integrates physical security systems, industrial cyber-security, functional safety and dependability.

Finnish Accreditation Service (FINAS)

Finnish Accreditation Service (FINAS)

FINAS is the national accreditation body for Finland. The directory of members provides details of organisations offering certification services for ISO 27001.

Gigacycle

Gigacycle

Gigacycle is one of the leading IT disposal and recycling providers in the UK. We specialise in IT asset disposal (ITAD) and data destruction.

Fend

Fend

Fend secures smart infrastructure. We provide a robust, highly secure way to have situational awareness of IoT enabled assets.

Right-Hand Cybersecurity

Right-Hand Cybersecurity

Right-Hand Cybersecurity empowers businesses to monitor, measure and mitigate employee induced cyber risks in real-time.

Sec-Ops

Sec-Ops

Sec-Ops is a forward thinking cyber security company, formed by a group of security enthusiasts with years of experience and backgrounds in the technology and the government industries.

AutoSec

AutoSec

AutoSec supports the FFI program Electronics, Software and Communication by dissemination and exploitation of the results of projects related to automotive cybersecurity.

HashiCorp

HashiCorp

At HashiCorp, we believe infrastructure enables innovation, and we are helping organizations to operate that infrastructure in the cloud.

ANSSI Burkina Faso

ANSSI Burkina Faso

ANSSI is responsible for managing the security of information systems and cyberspace in Burkina Faso.

Metrics that Matter (MTM)

Metrics that Matter (MTM)

Metrics that Matter redefines how organizations approach cybersecurity by offering unprecedented insight into the value of their assets to criminals and tailored action plans to protect.