On Friday, March 12th, a ransomware attack began infecting computers across the globe. The scale of the attack and the speed at which the ransomware was propagating was unprecedented. Rob Wainwright, Director of Europol explains.
“We’ve never seen something on this scale and that’s because the ransomware itself has been combined with a worm application that allows the infection from one computer to quickly spread across other networks. That’s why we’re seeing these numbers increasing all the time and right across different sectors, right across the world. The numbers are still going up.”
The virus is known as Wanna Decryptor, WannaCry. WanaCrypt0r and WCry and encrypts users’ files, demanding a $300 payment for access to be restored. So far, the list of victims includes some of the world’s largest companies such as Renault, Deutsche Bahn, FedEX and the Russian interior ministry. In Spain, the virus seems to have gained significant traction, infecting Telefonica, Gas Natural and Iberdola amongst others.
In the UK at least, the most serious impact of the infection has been on the National Health Service (NHS), with at least 47 NHS trusts infected by the ransomware. Although the NHS wasn’t specifically targeted in the attack, hospitals and healthcare organisations in general make popular targets for ransomware. There doesn’t appear to be a conclusive report published yet as to why the NHS was so badly effected but early reports suggest this was due to far too many computers in NHS hospitals running Windows XP with unpatched vulnerabilities. We know that in Dec 2016 at least, 90% of NHS trusts were continuing to run Windows XP, two and a half years after Microsoft ditched support for the ageing OS.
Why is WannaCry so virulent?
WCry utilises an NSA originating exploit that was leaked by the Shadow Brokers hacking collective in mid-April. The exploit in question, codenamed EternalBlue, targets a vulnerability found in Server Message Block (SMB) code built into all modern versions of Windows. The exploit provides a means of remotely commandeering computers running Windows. This vulnerability is present on any Windows version from XP through Server 2012. By incorporating the EternalBlue exploit with a self-replicating payload, WCry can spread itself in “worm” fashion from vulnerable machine to vulnerable machine across the network. The result is that after an initial infection, there is no need for emails to be opened or links to be clicked, the virus silently spreads itself without the need for human interaction.
Microsoft did release a patch for the exploit in March, but many organisations clearly haven’t got around to installing it yet. To give an indication of how effective the exploit has been in self-propagating, 85 percent of computers at Telefonica are said to have been affected by the worm.
It goes without saying that anyone who has systems which may be affected and has yet to install the relevant Microsoft patch – MS17-010 – should do so straight away.
The initial infection could have been even larger
Thankfully in this case, the potential of the ransomware to infect further computers was contained, almost by accident, early on. A security researcher going by the name of MalwareTech was running a sample of the ransomware in an analysis environment and noticed that it queried an unregistered domain, which he promptly registered.
Luckily, it seems that registering the domain effectively acted as a killswitch, which caused future infections to exit rather than executing, encrypting files.
The security researcher’s theory as to why the ransomware creators included this domain check, is that it was designed to help determine when the virus was being run in an analysis sandbox environment, acting as an anti-analysis killswitch as explained below.
“I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit)”Malwaretech
WannaCry follow-on attacks
Since the initial spread was contained, there have already been several follow-on attacks. The first subsequent attack simply used a different killswitch domain check. This one was quickly identified by Matt Suiche.
Since then, a new variant has already appeared that seems to lack the domain check killswitch entirely although the payload file it includes is corrupted, rendering it unable to install and encrypt files. It is clear then already that WannaCry will continue to evolve as attempts are made to contain it.
Perhaps the most worrying aspect of WannaCry is that there are likely many more vulnerabilities that ransomware can take advantage of besides EternalBlue. The software can also run in 27 different languages. The level of development required to make that possible would be unlikely to be made unless the creators have a long-term plan for distributing the malware.
Limiting the impact of a ransomware attack
The below advice is taken directly from the National Cyber Security Centre’s (NCSC) website and is available here.
The following measures can all help to limit the impact of a ransomware attack.
- Good access control is important. The compartmentalisation of user privileges can limit the extent of the encryption to just the data owned by the affected user. Re-evaluate permissions on shared network drives regularly to prevent the spreading of ransomware to mapped and unmapped drives. System administrators with high levels of access should avoid using their admin accounts for email and web browsing.
- Ransomware doesn’t have to go viral in your organisation; limit access to your data and file systems to those with a business need to use them. This is good practice anyway and, like many of the recommendations we make here, prevents against a range of cyber attacks.
- Have a backup of your data. Organisations should ensure that they have fully tested backup solutions in place. Backup files should not be accessible by machines which are at risk of ingesting ransomware. It is important to remember backups should not be the only protection you have against ransomware – the adoption of good security practices will mean not getting ransomware in the first place. For further guidance on backups, please see our Securing Bulk Data guidance, which discusses the importance of knowing what data is most important to you, and how to back it up reliably.
How Redstor can help
If a ransomware attack cannot be prevented, recovering from it remains the only option. But without an isolated, up-to-date backup of data, your IT systems will have no previous working state to revert to and your organisation will have no choice but to pay up in the hope of access being restored or accept that the data is lost forever. An onsite backup may be able to help but if the infection spreads to this local copy then that too is going to be inaccessible.
Implementing a new backup solution is no use if data is already infected – a backup may be able to take place but the restore won’t be able to get around the encryption that’s already there. Only by having up-to-date, isolated data backup will your recovery will be swift and all traces of the ransomware infection be erased.
You can find out more about how Redstor can help protect your data against ransomware here.