WannaCry, the largest ransomware-spread campaign to date!
If you think that updating operating systems is not necessary, think again! Within the scope of the largest ransomware-spread campaign to date, more than 223.000 computers across 99 countries worldwide (including United States, Russia, India, Germany, Africa, Philippines, China …) have been infected. Here is the story behind the WannaCry ransomware and protection methods…
On May 12th, National Cryptological Center of Spain issued an alert on their website about massive ransomware attack affecting several Spanish Organizations.
The National Health Service (NSH) of UK also issued and alert and confirmed WannaCry ransomware infections in 16 medical institutions.
Security researchers from Kaspersky Labs confirmed additional infections in several countries including India, Russia and Ukraine afterwards. Later, WannaCry news began to spread on popular news websites.
What was the reason that the WannaCry spread too fast? What makes WannaCry so dangerous?
Just like other ransomware campaigns, WannaCry is distributed via malicious spam emails. But, as a unique function, WannaCry attempts to infect other computers on the same network by using a recently patched Windows SMB vulnerability. It has been reported that, once a computer is infected, WannaCry scans the entire internal network for the vulnerable operating systems. Since it uses the critical SMB vulnerability which affects all unpatched Windows versions including servers, WannaCry is able to infect all unpatched Windows machines in the same network.
SMB, which stands for Server Message Block, is a protocol for sharing files, printers, serial ports, and communications abstractions such as named pipes and mail slots between network computers. Critical flaws in SMB protocol version 1 (SMBv1) allows an attacker to execute malicious code, inject backdoor, run DLL/shellcode and take control of the target machine by sending specially crafted SMB messages.
And what’s interesting about WannaCry ransomware is that the exploit (codenamed ‘EternalBlue’) used by ransomware was leaked by a hacker group called ‘Shadow Brokers’ and made available on the Internet on April 14th. EternalBlue, along with other hacking tools, allegedly created and used by NSA. It has been reported that this exploit has been repurposed by the attackers behind WannaCry campaign to infect machines in internal networks.
Like other ransomware variants, WannaCry also encrypts most of the user files after the infection and drops a ransom note. The note contains requested amount for decryption tool, which is about $300, and Bitcoin wallet.
Although Microsoft has released patches for this specific vulnerability (MS17-010) on March 14th 2017, WannaCry took advantage of the unpatched operating systems worldwide. Therefore, Microsoft recently released an emergency security updates even for it’s unsupported operating systems.
Another interesting point is the hard-coded ‘kill switch’ of WannaCry ransomware!
After looking at the ransomware’s code Fox-IT noticed that the malware had a hardcoded kill switch which could disable all functionality.
Once the ransomware is running on a victim’s machine it tries to connect to the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com.
If the connection succeeds, the binary exits and will not start encrypting files nor start spreading.
Afterwards, a security researcher (@MalwareTechBlog) spotted the domain and found out that luckily it was not registered by malicious actors. Security researcher registered the domain and activated the hard-coded kill switch accidentally!
How to protect from WannaCry ransomware?
- First of all, download the fixes and patch your operating system by using MS17-010 update page or MS emergency security updates here.
- If you are using Windows XP, you can find the patch here.
- It is also suggested to disable unsecure SMBv1 protocol (you can follow the steps here.)
Please subscribe to our free security newsletter.
220 total views, 1 views today