05-16-17 | Blog Post

Breaking down the WannaCry ransomware attack

Blog Posts

Wannacry Ransomware skullCompanies across the globe are still reeling and recovering from the global ransomware attack known as WannaCry on Friday, which took down tens of thousands of machines in 150 countries, including Britain’s National Health System. How and why did this happen?

We’ve talked at length about ransomware and how it’s distributed, how it particularly affects healthcare, and the rise of ransomware as a service. Friday’s attack was unusual in how quickly the infection spread, but it also reminded us of an age-old life lesson: It’s really important to keep your systems patched and up to date.

Prevention is the best cure

The security world has been saying it for years, but now it has another true-to-life case in point: Update your machine when it tells you to. The attack on Friday took advantage of a zero-day vulnerability in all Microsoft systems before Windows 10. Microsoft had released a patch for it back in March (even issuing a rare patch for the now-unsupported Windows XP systems), but most people treat system updates the way they treat pre-cancer screenings: “I’m fine now, so why should I worry about it?”

Well, just like you don’t want cancer when you’re older, you don’t want ransomware, either. Company-issued patches often address security vulnerabilities and keep your system better protected against ransomware and other malicious activity. For personal computers it’s a matter of dedicating the few minutes it takes to install the patch(es) and reboot. For enterprise, it’s a different story. It’s not only the time it takes to install patches on potentially hundreds of machines, but there are software compatibility and patch priority issues as well, which can turn a simple update into a much more complicated mess. It’s for these reasons that many enterprises are slow to patch their systems, and this unfortunately leaves them as prime targets for malicious actors to take advantage of.

How does WannaCry work?

WannaCry (and now new variants) are exploiting a vulnerability in Windows known as SMBv1 and SMBv2. SMB , known as Server Message Block, is a networking component of Windows that’s mainly used for providing shared access to files, printers and miscellaneous communications between nodes on a network. Security researchers believe that is how the infection has been able to spread so quickly–much more quickly than anticipated.

Why ransom payments are low

You might have noticed that while the WannaCry attack from Friday hit thousands and thousands of computers, the total ransom collected so far is less than $100,000. That’s pretty low by ransomware standards. There are a few reasons for this:

  1. The ransomware gave victims 72 hours before their payment doubled, and that time window has only just passed. Security researchers expect more money to go to the Bitcoin wallets of the hackers but for now, it’s pretty low considering the scale of the attack.
  2. Despite Bitcoin’s growing popularity, most people don’t use it or know how to get it. Doing so takes some time, and determining how much to pay based on how many computers were infected will also take time.
  3. The hackers, by all accounts, seem to be pretty unsophisticated. The original payment asked for $300, which is absurdly reasonable compared to the average payment of $1,000 or more. Then there’s the problem of WannaCry’s decryption process, or lack thereof. According to a blog post from cybersecurity firm Check Point, “WannaCry doesn’t seem to have a way of associating a payment to the person making it.” For now, victims just have to pay, and wait. Most security researchers and governments have urged victims not to pay the ransom, and it appears that most victims haven’t–yet.

What’s next

A security researcher going by the name Malware Tech accidentally stumbled upon a killswitch built into the malware, which stopped Friday’s infection from spreading. However, a new variant of the malware has already been released, known as Uiwix. This new variant is believed to no longer have the killswitch built in, which means the only way of stopping the new infection is to patch the SMB vulnerability in Windows. Information can be found for Microsoft here for WannaCry support, as well as direct downloads for each version of Windows with the SMB vulnerability. Be sure you’re also running a robust antivirus that can check for new malware strains as they appear.

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved