It was a Friday morning like any other. For some, weekly catch-up meetings were being held, others were making their way to the office, and the lucky ones had the day off. But for a soon-to-be-growing group of unsuspecting Microsoft Windows users, the 12th of May, a seemingly normal Friday, then took a turn for the worst. “WannaCry”, an encryption ransomware virus, came to life and began seizing control of important user files with a demand for a fee of $300 to $600 in Bitcoin for reprieve.
Based on reports from Symantec, their threat detection centre experienced a huge spike in Windows exploits at around 8AM GMT. Luckily, Norton End-Point Security Anti-virus software users were protected.
Experts say that the virus wasn’t all that unique. While it was able to exploit a known vulnerability and spread at a rate faster than they’ve ever seen, strains of its source code bore similarities to earlier versions of malware.
Greg Clarke, current CEO of Symantec, shared that his team soon established that some of the code used in WannaCry appears to have been used by a known hacker group called Lazarus. The group is believed to have been responsible for similarly catastrophic cyberattacks in 2014. One such attack took place on the morning of November 24th, when Sony Pictures employees logging onto its network were met with horrifying gunshot sounds followed by a scrolling threat and equally ghoulish image of a skeleton. That day, the film titan lost over 3,200 files of data across over 6,700 personal computers and 837 of its servers.
How this version of encryption ransomware works
Like most encryption ransomware, WannaCry makes quick work of encrypting files that victims need regular access to. The virus was designed to search for and seize 176 different file types, including everything from MS Office documents to images and video file types. Once found, WannaCry changes the file type by replacing it with an extension of its own – rendering any and all attempts to rescue your files useless.
While the experience of your digital world being held ransom is jarring to say the least, what’s more shocking are reports that the vulnerability WannaCry took advantage of was well known, and the exploit spread like wildfire with the help of what many believe to be a United States National Security Agency cyber weapon dubbed “EternalBlue”.
EternalBlue showed up online roughly two months ago. It was released by a hacker group known as The Shadow Brokers who’ve been around since 2016.
By strapping EternalBlue to an earlier version of the encryption ransomware, its authors were able to ensure a much faster infection rate.
EternalBlue was designed to exploit a known vulnerability of the Microsoft SMB version 1 server, known to accept a set of uniquely structured data packets from hackers, allowing easy access to target computers.
What’s clear about the threat is that it was not intended as part of a larger cyber-attack. The evidence is in the ransom request, according to Symantec’s CEO. The request – a deposit of $300 to $600 of Bitcoin instead of a larger sum – indicates that the authors of the malware only planned to exploit personal computers and not bring enterprise networks to their knees.
The crippling effect of WannaCry on enterprises across the globe was largely due to delayed action. Most organisations had not installed the latest security patch released by Microsoft on March 14th. Some of the most notable enterprises to have been affected are US courier company FedEX, German railway company Deutche Bahn, Spain’s telcom giant Telefónica, and Britain’s National Health Services.
Speculation over whether or not the NSA or Microsoft is at fault or responsible is still a debate that many are pursuing, however, the likelihood of compensation for any damages caused by the encryption ransomware is low or close to none.
Responses to WannaCry
In the midst of the coverage that WannaCry quickly gained, two of the most widely-covered solutions have been the installation of Microsoft’s latest patch, and what has been coined as a “happy accident”. A blog dedicated to research of new malware, malwaretech.com, and a researcher from cyber security firm Proofpoint named Darien Huss, banded together to find what appears to be a loophole in the exploit.
According to MalwareTech, amongst WannaCry’s code was a command to check whether a specific URL led to a live webpage. At first glance, most would not have taken note of this, or found it to be a little suspicious. Taking a closer look, Malwaretech found that the virus was only able to spread as long as the domain was unregistered. All it took from there was an investment of $10.69 and WannaCry was stopped dead in its tracks.
While MalwareTech’s solution seems to have dealt with the first iteration of the encryption ransomware threat, there may be more permutations on the way; versions that could potentially include workarounds for the obvious URL lookup.
If you’re an average PC user and feel slightly vulnerable, now’s the time to consider a smarter, more proactive approach to protecting your digital life. Invest in an anti-virus software and make sure that you update your PC as soon as new security updates and patches are available. If you’re a systems administrator and want to make sure that you’re never caught off guard again, be sure to subscribe to as many trusted IT news sources and blogs that cover updates on whatever software you run on your server.