WannaCry Ransomware goes global

On Friday, a cyber attack on an unprecedented scale struck a wide range of organizations in over 99 countries across the globe. The ransomware attack, known as WannaCry or WannaCrypt0r shut down IT systems in NHS hospitals and GP surgeries in the UK as well as many large global organizations including Telefonica, FedEx and Renault.

The sheer scale of the attack and the speed at which it moved, has never been witnessed before, but it sets a new benchmark for the attackers and gives us a glimpse of what is still to come in the long battle against cyber crime.

From what we know at this stage, the attack originated via an extensive email phishing campaign. It’s understood that some of those emails were posing as messages from a bank concerning a money transfer. When these emails are opened a payload is dropped to disk causing the victim's data to be encrypted.

The ransomware (Wana Decryptor) isn’t particularly unique and has been around since February. Once it infects the PC, the worm will encrypt all the files on the machine, and then demand the victim pay a ransom to free them, in this case, it appears the attackers were asking in the region of $300 of bitcoins.

The above stages of the attack are simple to protect against, however, the reason this has spread so quickly is down to the use of leaked Zero Day hacking techniques from the NSA, essentially putting nation state capabilities in the hands of criminals. The technique dubbed EternalBlue makes it easy to hijack unpatched older Windows machines, via an SMB vulnerability. Once Wana Decryptor has infected the first machine, it’ll attempt to spread to other machines on the same local network and then out via the internet.

So why was the NHS such a ripe target?

It has been a perfect storm for the NHS. A mix of circumstances in which a cyber attack on this scale can flourish. You've got a combination of antiquated systems, a clear lack of investment in security measures, and poor security practices. Furthermore, the NHS shares a lot of systems; the interconnectedness in the backend completes the perfect storm. Though the attack was not specifically targeted at the NHS this will dramatically change the way the NHS approaches its cyber security, unfortunately, it’s taken a major incident like this for them to get there.

So what can be done?

The key point is that this attack could have been easily prevented. There are two main steps organizations must take to protect their systems from a ransomware attack: First, understanding their environment, what it looks like and what works well in their environment. By focusing on the finite detail of their operating systems, they can protect against the unknown. Second is making sure they are up to date with patches. This particular vulnerability had been patched by Microsoft in March on modern operating systems.

It is crucially important to reduce the attack surface on your endpoints rather than relying on detection. For example, the leak from the NSA provided 20 different attack vectors, four of which were unknown to Microsoft. It is very easy to modify malware to bypass security techniques, pointing to the importance of protecting against the unknown. I would not be surprised to see this malware morph into a new strain within a few weeks and leverage a different technique.

What Microsoft solutions available to protect additional products?

In March, Microsoft released a security update which fixes the vulnerability, but this was for modern operating systems. Microsoft is taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.

Windows Defender also sees an update which detects this threat as Ransom:Win32/WannaCrypt.

As the WannaCrypt ransomware spread overnight, a security team did manage to find a kill switch to slow the speed at which this potent piece of malware was traveling – it remains to be seen just how long that will last. As the details and implications of this attack continue to play out, we’ll have to wait and see just how damaging and costly this attack has been.

Keep an eye on the @Avecto Twitter feed for all the latest comment and analysis on this developing story. You can also hear Andrew discuss the attack here.

Update: 16.05.17

Initial Wannacry dropper abuses admin rights to get System integrity before spreading using SMB. Removing admin rights stops it.

Our team has now been able to analyze samples of the WannaCry ransomware and found that if the initial affected user does not have full administrative rights, the malware will exit without infecting the machine.

Avecto's analysis found that the initial infection requires local admin rights to install a payload into the Windows folder and begin spreading via the SMB worm. In our analysis, the combination of privilege management and application allow listing was able to prevent the WannaCry ransomware from infecting systems and spreading.

Avecto has discovered several Bitcoin wallets valued at around £14k each linked to the Wannacry malware. Compared to Cerber ransomware which was estimated to be on track for about $2.4million this year, this is a low yield and suggests either a lack of technical sophistication or possibly a greater desire to disrupt than profit.

Patching with MS17-010 will prevent WannaCry from spreading via the SMB worm, but will not prevent users from being re-infected directly via phishing emails or downloads. It is essential to deploy privilege management and allow listing to ensure these payloads cannot re-infect machines and cause another outbreak.

Once again, we've seen that seemingly significant threats can be mitigated by implementing proactive security measures. Privilege management and consistent patching should form the foundations of the cyber security strategy for any organization.