We’re living through a digital zeitgeist, one where connectivity and convenience are sought after, often at the expense of freedom and security. Invisible highways carrying trillions upon trillions of bytes of data whip by us, through WiFi connections, cellular data or undersea cables. On these metaphorical highways, one program had managed to infiltrate hundreds of thousands of computers on Friday, holding them hostage and crippling organisations. Its name? WannaCry.
WannaCry (also known as WannaCrypt) is a type of ransomware; a nefarious type of malicious software (malware) that encrypts your device until you pay a sum of money to the perpetrator (usually in untraceable bitcoin). Only upon paying the required ransom will you be able to access all of your files again. It’s the modern day version of a kidnapping; your laptop being Frank Sinatra Jr. and WannaCry being the abductor.
According to reports, WannaCry started its days as EternalBlue, an exploit that had been developed by the U.S. National Security Agency (NSA). EternalBlue’s code was released to the public by a hacktivist group on April 14th, 2017 upon which it underwent a few changes by an unknown third-party before being unleashed as WannaCry. Although the exploit EternalBlue utilised had been patched by Microsoft in March, a month before its public release, millions of devices around the world had not applied the patch, leaving themselves vulnerable.
As a result, WannaCry swept through over a hundred countries, crippling organisations such as telecom systems, FedEx, Nissan and dozens more. The resulting chaos and panic were unprecedented with many organisations preemptively shutting down systems and disconnecting them from the internet to prevent their own systems from falling prey to the virulent strain of ransomware. Britain’s National Health Service had to turn away non-critical emergencies and some ambulances were diverted to hospitals that weren’t affected, while automotive manufacturers like Renault shut down entire factories to halt the spread of the malware.
Much like the common cold, once it had taken root, it then attempted to replicate itself and spread. It did this by using the EternalBlue exploit to spread to other devices on the same network, or to random devices on the internet. Users with affected computers would not be able to access their device; instead, a message would be displayed, informing the user that their files have been encrypted along with demands for $300 in bitcoin within three days. Failure to pay would result in your device being wiped of all data. What was more surprising was that the demands were available in over 28 languages.
However, just as WannaCry was closing in on infiltrating organisations in over a hundred countries, a security researcher known as MalwareTech stumbled upon a “kill-switch” for WannaCry. By attempting to reverse-engineer samples of WannaCry, he had stumbled upon a line of code that led to a website that had not been registered. MalwareTech was quick to buy and register the website. The result was a halt in attacks; the line of code MalwareTech had discovered ensured that as soon as the website was registered, the ransomware would stop infiltrating systems worldwide. Whether the website was included as an intentional kill-switch by its creators is up for debate, though MalwareTech believes it was intended to shield the ransomware from analysis by security professionals.
The brief reprieve given by MalwareTech’s quick thinking allowed organisations and companies across the globe to shore up defences by updating their systems and by downloading an emergency patch Microsoft had made available. The emergency patch was the first such patch many of these systems had received since Microsoft had turned off support for legacy versions of Windows. Such versions are Windows XP, Windows 8, and Windows Server 2003. Users running Windows 10 were not targeted by the attack.
However, that reprieve was short lived, with security researchers soon discovering variants of WannaCry without the kill-switch, dubbed WannaCry 2.0. The ransomware continued spreading to computers that had not yet been updated and patched.
I advise our readers to check for updates from Microsoft, especially if you’re running legacy versions of the Windows operating system. So far there are no feasible ways to decrypt your data, meaning that the best protection from WannaCry is to ensure you don’t get infected in the first place.
Editor’s note: A fix has been made available and can be read about here.
UPDATE:
Symantec issued an advisory regarding WannaCry earlier this week.
Symantec Endpoint Protection and Norton customers are fully protected from WannacCry by multiple layers of advanced protection. This includes Symantec’s new advanced machine learning, proactive network exploit protection, SONAR behavioral protection, and the Intelligent Threat Cloud.
They also identified the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry. These earlier variants of WannaCry did not have the ability to spread via SMB. The Lazarus tools could potentially have been used as method of propagating WannaCry, however this remains unconfirmed.
In some cases, files may be recovered without backups. Files saved on the Desktop, My Documents, or on a removable drive are encrypted and their original copies are wiped. These are not recoverable. Files stored elsewhere on a computer are encrypted and their original copies are simply deleted. This means they could be recovered using an undelete tool. Analysis of the three Bitcoin addresses provided by the attackers for ransom payment indicate that at the time of writing, a total of 31.21 bitcoin ($53,845) had been paid in 207 separate transactions.
Symantec Corp. reported it has blocked nearly 22 million WannaCry infection attempts across 300,000 endpoints, providing full protection for Symantec customers through its advanced exploit protection technology.
Symantec Internet Security Threat Report for 2017 findings
The average ransom per victim grew to AED 4,000 ($1,077) in 2016, up from AED 1,000 ($294) in 2015 (266% increase). Globally, ransomware attacks grew to 463,841 in 2016, up from 340,665 attacks in 2015 (36% increase). Saudi Arabia is the top most targeted country in MEA For Ransomware, followed by the UAE at #2.
Furthermore, the UAE ranked 26th globally for ransomware attacks, Saudi Arabia was the 20th most targeted country, and United States ranked first. 30% of ransomware victims in the UAE pay ransom.
Globally, 1 in 131 emails contained a malicious link or attachment in 2016 – the highest rate in five years. In the UAE, 1 in 136 emails contained a malicious link or attachment in 2016- the highest rate in five years. Globally, there was a two-fold increase in attempted attacks against IoT devices over the course of 2016 and, at times of peak activity, the average device was attacked once every two minutes.
