In one of the most publicised and arguably most destructive ransomware releases to date, WannaCry spread like wildfire over the internet during the last weekend. At its height, the ransomware infected potentially millions of computers from over 100 countries across the globe. Businesses, corporations, public utility services, private individuals, and even the UK’s National Health Service were prey to the ransomware that exploited a bug in the Windows SMB service that Microsoft patched in March 2017, after Wikileaks released details of hacking tools and methods used by NSA (United States National Security Agency) operatives
Microsoft patched the issue in record time (less than a week!), but the update was not installed on every PC, and some Windows 10 machines also had not received it yet. The exploit affected every Windows machine in existence from XP to Windows 10 build 1703, as well as installations of Server 2003 to Server 2016, and installations of Windows XP and Windows 7 Embedded.
Although the originating source is not yet known, WannaCry appears to have been dormant on multiple computers before a switch was activated remotely by hackers that started a chain reaction. Controlled through the TOR network, attackers set the ransomware in place by using EternalBlue, one of the leaked NSA tools, to find vulnerable machines on the internet that were not firewalled, and without the SMB service patch installed from Microsoft. Once the virus was loaded on the system, the worm would ping a predetermined domain name to see if there was a response, and would then start encrypting the user’s files.
After the ransomware was activated, it is theorised that a second tool, DoublePulsar, was then used to perform network scans on other PCs in the infected network, and to attack them by using a second exploit to open a backdoor that the EternalBlue tool could then use to exploit the SMB bug, rapidly spreading the worm through the network. The attack could take place in a matter of minutes across an unpatched network of computers, and removing the ransomware before it had a chance to do severe damage was a matter of luck and chance.
As is the usual case, the attackers then demanded that users pay the ransom fee in Bitcoin to one of several wallets hard-linked into the application, at a starting cost of $300. After the initial deadline was missed, which was three days, the ransom cost would be doubled and the users would lose access to all of their files, now encrypted using a 4096-bit RSA cipher.
While the ransom demands and the ransomware was pretty standard fare for this kind of malware, what was different was the attack’s target – computers that had not been updated since the last Microsoft security bulletin that fixed the problem. The attackers banked on loads of organisations not updating on timeously, and they were right. Intel’s MalwareTech tracker site almost immediately identified which IP addresses the new botnet was now reporting to, and as of this writing 367,589 originating IPs have been tracked. Keep in mind, however, that these are not individual computers – rather, they are originating IP addresses, which means that potentially millions of computers hide behind them if they’re registered to a business or an ISP.
Intel’s unique IP tracking tool shows that today, 16 March 2017, there are still well over 300 million unique IP addresses that were last reporting to their server tracker when the PCs came online.
Stopping the worm in its tracks
One of Intel’s malware researchers, writing under the pseudonym “MalwareTech”, published a blog post on the Malware Tech site detailing how they had accidentally triggered the killswitch for the worm by registering to own the website URL that the virus was trying to call. Once they set up their server, known as a “sinkhole server”, to not respond to pings sent to the server hosting the site, the virus stopped encrypting files on newly infected computers, and they were able to contain the spread.
However, because there are several versions of WannaCry that have different Bitcoin wallet IDs associated to them, there’s every chance that a new version of the worm will not have a killswitch or some way to disable it. There are some reports that indicate that the second strain may already exist, and that it is infecting new hosts.
This seems to tally up with an increasing number of payments made to the associated Bitcoin wallets, and new ones are being made roughly every fifteen minutes. As of 13:00 this afternoon 233 payments have been made to the linked wallets with a total ransom haul of over R850,000. While there aren’t any new PCs getting their files encrypted after the initial infection, those that were already affected and encrypted are still stuck with having to pay the ransom fee, or bide their time hoping that someone manages to crack the encryption.
That the worm was stopped from encrypting files is good news, but it does little to lessen the damage caused. Thousands of computers across the UK used by the National Health Service were affected, effectively bringing down the entire institution and resulting in mass delays for much-needed surgeries, medicine handouts, or regular administration. In Japan, motor manufacturer Nissan had to shut down services and send everyone home after the ransomware found its way into their network and attacked hundreds of systems, and several other businesses and utilities, like the Tokyo railway services, were affected. Russia was the hardest hit, with over 80,000 IP addresses reporting to the Malware Tech servers in the first few hours of the attack being launched. In Dresden, Germany, trains were delayed. Call centers in India had to close because their systems weren’t patched.
The fact that the UK Royal Navy still has submarines running versions of Windows XP Embedded that are vulnerable to the attack was also a cause for concern, although the Royal Navy would not comment to press about the possibility of an attack on their infrastructure. The NHS attack could also have been prevented had the government not ceased their funding to support critical systems running old versions of Windows, part of a R93 million annual deal with Microsoft for custom support of Windows XP.
With millions of computers still left unpatched, the second and third waves of WannaCry will surely continue on, and even with the patches from Microsoft installed, you’re still at risk of being attacked by the software itself. WannaCry’s reliance on EternalBlue and DoublePulsar, in this instance, allowed the attack to be carried out on any PC that was sitting unpatched regardless of its use.
Microsoft has published several updates for Windows operating systems vulnerable to the attack, and you can download them directly from catalog.update.microsoft.com. Everyone is urged to apply the patch to their PCs as necessary, and to update their antivirus and firewall software, if applicable.
The patch is called KB4012598, and it can be applied and downloaded offline for systems running Windows XP SP2 and SP3, Vista, Windows 8, Windows Server 2003 and 2008, Server 2008 for Intel Itanium systems, and Windows XP Embedded and POSReady 2009 systems.
The updates for Windows 7, 8.1 and 10 are packaged differently, and thus have different KB numbers. You can check your version by pressing WIN key+R, typing “winver” and pressing the return key.
Other mechanisms you can take is to block port 445, which is the port for the SMB service, for the moment while a workaround to the encryption is being worked on. This will unfortunately disable some networking capabilities for newer systems on older networks, but it helps to protect you from infection. Additionally, update your web browsers, make sure you don’t open an email attachment unless you know who it’s from and confirm from them if they’ve sent it, and be especially suspicious of random Facebook and Skype invites that offer to send you a mail. All of the tools used in the attack are hosted somewhere on the internet, and malicious hackers will be able to grab them and use them to their advantage.
Ultimately, no-one is safe on the internet. The most you can achieve is owning a small attack surface that most hackers would not be able to find.