Code named ‘WannaCry’, ‘WannaDecryptor’, ‘WannaCrypt’ or just the layman’s ‘YouDontWannaCry’, it is a ransomware of its kind (from the Ransom.CryptXXX family) that hit the whole world to its knees on Friday the 12th of May, 2017. Security researchers and professionals have labelled it the largest ransomware assault on record, while at the same time calling it “the atom bomb of ransomware.” I would call it a digital weapon pulled directly from the ‘chief hacker’s vault of hacking manuals and blueprints.’ And were you to ask any security researcher (at one of those institutions bisecting the malware like Malwarebytes) the question: “what keeps you awake all the night?” the answer would have been unconsciously, “this.” Here is why it is a digital super storm. It is the first time a cyber-weapon developed by the N.S.A (notorious for its I.T expertise and doings), funded by American (world’s largest economy) taxpayers (directly and indirectly with and/or without knowledge) and stolen by an adversary had been unleashed by cybercriminals against patients, hospitals, businesses, governments and ordinary citizens. The effects have far spread worldwide. Having read the first article on what ransomware are and how they work, in this article, we will analyse its origin, prey, propagation, behaviour and mechanisms of camouflage, effects so far, and the preventive (not cure) measures.
The roots of its genealogy are traced back to the Obama administration when the White House created a process to review software vulnerabilities discovered by intelligence agencies like the N.S.A and C.I.A. Just like your country’s government would, they solely determined which of the vulnerabilities should be stockpiled for future offensive or defensive cyber operations and which should be reported to the respective companies so that they could be fixed. According to the government in question, only a small fraction of the vulnerabilities was retained, Microsoft windows’ SMB vulnerability was among these kept. Secured under the N.S.A.’s “Tailored Access Operations” unit, which infiltrates foreign computer networks, (as expected the unit has since been renamed.) the ultimate hacking tool (named Eternal Blue) for exploiting these depots of vulnerabilities was stolen probably by a group of hackers calling itself the “Shadow Brokers.” Later on last year the group, Shadow Hunters began to post these software tools that would exploit the vulnerability in Microsoft Windows servers.
Later on Friday 12thMay 2017, hackers (not yet known) exploiting these stolen hacking tools executed damaging cyber attacks that hit dozens of countries worldwide, leveraging heavy burdens on the victims. A case study is the Britain’s public health system who were denied access to their computers forcing them to send patients away. This saw disruptions rippling through at least 36 hospitals, doctors’ offices and ambulance companies across Britain
The prey and methods of spread
The malware exploits a Windows SMB Server vulnerability. This renders all unpatched Windows Systems are at risk of infection. If you are using any version of Windows including Windows XP, Vista, 8, Server 2003 and 2008, except Windows 10, with SMB protocol enabled. If you are using Windows 10 Creators Update (1703), you are not vulnerable to SMB vulnerability.
The malware is being circulated by email (see email phishing).Targets hit were sent an encrypted, compressed file that, once loaded, allowed the ransomware to infiltrate its targets. The fact that the files were encrypted ensured that the ransomware would not be detected by security systems until employees opened them, inadvertently allowing the ransomware to replicate across their employers’ networks. Once infected, WannaCry also scans for other unpatched PCs connected to the same local network, as well as scans random hosts on the wider Internet, to spread itself quickly. Again, once infected, you become a network node zombie (botnet) that simply helps in the propagation of this attack. For that reason when a node is hit, it should be isolated from the network. If you don’t like the technical you can skip the next section and move to the next after that.
Technical details on the attack
- When the Trojan is executed it drops the path files [PATH_TO_TROJAN] where the Trojan was originally executed.
- The Trojan then creates the and sets some registry entries like HKEY_CURRENT_USER\ControlPanel\Desktop\"Wallpaper"=%UserProfile%\Desktop\!WannaCryptor!.bmp"
- The Trojan creates the following mutexes: Global\WINDOWS_TASKOSHT_MUTEX0, Global\WINDOWS_TASKCST_MUTEX
- The Trojan then terminates the following processes using taskkil /f /iml: sqlwriter.exe, sqlserver.exe, Microsoft.Exchange.* , MSExchange*
- It then searches for and encrypts files with the following extensions:
.123, .3dm, .3ds, .3g2, .3gp, .602, .7z, .ARC, .PAQ, .accdb, .aes, .ai, .asc, .asf, .asm, .asp, .avi, .backup, .bak, .bat, .bmp, .brd, .bz2, .cgm, .class, .cmd, .cpp, .crt, .cs, .csr, .csv, .db, .dbf, .dch, .der, .dif, .dip, .djvu, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .edb, .eml, .fla, .flv, .frm, .gif, .gpg, .gz, .hwp ,.ibd, .iso, .jar, .java, .jpeg, .jpg, .js, .jsp, .key, .lay, .lay6, .ldf, .m3u, .m4u, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .msg, .myd, .myi, .nef, .odb, .odg, .odp, .ods, .odt, .onetoc2, .ost, .otg, .otp, .ots, .ott, .p12, .pas, .pdf, .pem, .pfx, .php, .pl, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .ps1, .psd, .pst, .rar, .raw, .rb, .rtf, .sch, .sh, .sldm, .sldx, .slk, .sln, .snt, .sql, .sqlite3, .sqlitedb, .stc, .std, .sti, .stw, .suo, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vb, .vbs, .vcd, .vdi, .vmdk, .vmx, .vob, .vsd, .vsdx, .wav, .wb2, .wk1, .wks, .wma, .wmv, .xlc, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .zip
Encrypted files have .WCRY appended to the end of the file names.
- The Trojan then deletes the shadow copies of the encrypted files.
- The Trojan drops the following files in every folder where files are encrypted: !WannaDecryptor!.exe.lnk, !Please Read Me!.txt. The contents of the! Please Read Me!.txt is a text version of the ransom note with details of how to pay the ransom.
The Trojan downloads Tor and uses it to connect to a server using the Tor network. It then displays a ransom note explaining to the user what has happened and how to pay the ransom
Effects and new developments
By late Friday on the day of the attack, the attacks had spread to more than 74 countries, according to security firms tracking the spread and had already hacked nearly 200,000 Windows PCs. Kaspersky Lab, a Russian cybersecurity firm, said Russia was the worst-hit, followed by Ukraine, India and Taiwan. Reports of attacks also came from Latin America and Africa. About 104 countries in the world including U.K, Russia, Ukraine, India, China, Italy, and Egypt have been affected by the end of the weekend.
South Africa leads the pack among the African countries affected followed by Ivory Coast and Nigeria. Egypt, Algeria and Morocco complete the top six countries. At least 19servers have been hit in Kenya. Angola, Mozambique, Tanzania, Niger and Tunisia have also been hit.
In Russia, the country’s powerful Interior Ministry had around 1,000 of its computers which it described as less than 1 percent of its total) infected. The ministry, which oversees Russia’s police forces, said technicians had contained the attack.
Corporate computer systems in many other countries — including FedEx in the United States, one of the world’s leading international shippers, as well as Spain’s Telefónica and Russia’s MegaFon telecom giant were also seriously affected.
The ransom to be paid started at its lows of about $300 to unlock an individual computer. But the criminals designed their ransomware to increase the ransom amount on a set schedule and threatened to erase the hostage data after a predetermined cut-off time, raising the urgency of the attack and increasing the likelihood that victims would pay. For the close to actual values of ransom paid so far you can check the twitter account @actual_ransom. By the weekend, figures were staggering at 171 payments totalling 27.96968763 BTC ($47,510.71 USD), and by Wednesday this had almost doubled to almost $82,000 USD.
Even though a security researcher successfully found a way to slow down the infection rate, with Microsoft also releasing emergency patch updates even for unsupported versions of Windows, the researchers have detected some new versions of this ransomware, dubbed WannaCry 2.0, which couldn’t be stopped by the kill switch. What's even worse is that the new WannaCry variant believed to be created by someone else, and not the hackers behind the first WannaCry ransomware.
- Install security updates especially if using other versions of windows apart from Windows 10.
- Patch the SMB vulnerability (CVE-2017-0148) with the patch MS17-010 available for download here.
- Disable SMB. Even if you have installed the patches, you are advised to disable Server Message Block version 1 (SMBv1) protocol, which is enabled by default on Windows, to prevent against WannaCry ransomware attacks. Here is how to do it.
For Windows clients
- Go to Windows' Control Panel and open 'Programs.'
- Open 'Features' under Programs and click 'Turn Windows Features on and off.'
- Now, scroll down to find 'SMB 1.0/CIFS File Sharing Support' and uncheck it.
- Then click OK, close the control Panel and restart the computer.
For Windows Servers
- Open Server Manager and then click the Manage menu and select Remove Roles and Features.
- In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
- Restart the system.
- Enable Firewall & Block SMB Ports. Always keep your firewall enabled, and if you need to keep SMBv1 enabled, then just modify your firewall configurations to block access to SMB ports over the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138.
What you can be sure of is that there is going to be a lot more of these attacks. We’ll see copycats, and not just for ransomware, but other attacks. That’s why you hear of families of ransomware. Despite the fact that Talwork has since been trying to educate the public on major IT security concerns, most of this knowledge has failed to reach their purpose destinations. The reader is requested to be responsible with the knowledge gained heretofore, by spreading the knowledge gained while doing the same for the source of knowledge. The vulnerability seen so far is, however, a clear indicator for the need for an up game. It is a wake-up call for the aspiring IT professionals especially from Africa (Africa is extremely deficient of cyber-intelligent organisms, robots inclusive). Since this widely spread ransomware attack is neither the first nor the last one to hit users worldwide, prevention is always the key to protect against such malware threats.