Decoded: WannaCry ransomware

WannaCry is wreaking havoc on networks around the world. Get the facts on the latest ransomware threat.

By John Oates

Tue 16 May 2017 @ 15:37

What is WannaCry?

WannaCry is the largest and arguably most effective ransomware attack yet to hit businesses and organisations around the world. Organisations in about 150 countries including Telefonica in Spain, FedEx in the United States as well as large parts of the NHS in the UK have seen a page demanding a ransom in exchange for the password to decrypt their systems.

How did it spread so fast?

The malware was attached to phishing emails to get first access to networks. But after that it used a core Microsoft networking protocol called Server Message Block (SMB), via port 445, to propagate itself as a worm. As SMB is a feature of numerous versions of Windows the exploit can affect older machines running XP all the way up to Windows Server 2012.

The actual damage was limited thanks to the quick action of a young security researcher. He ran the ransomware in a virtual environment and noticed it was trying to contact an unregistered domain. If it did not get a response, which it wouldn’t because the domain was not registered, it starts encrypting files.

If the ransomware does get a response, it shuts down.

This is because some sandbox systems – used to check executable software is safe – will automatically respond to any URL request by providing an IP address which points back to the sandbox. The researcher quickly registered the domain name that WannaCry was trying to contact. This 'kill switch' effectively fooled it into thinking it was in a sandbox so it shut down.

The only caveat of this 'kill switch' is that infected systems that connect through a proxy server out to the internet remain at risk.

Why did this happen?

Ransomware is a massive and profitable business that makes cybercriminals hundreds of millions of dollars for very little risk. There are websites offering ‘ransomware-as-a-service’ so anyone with the most basic technical skills can tweak the ransom note and provide an email address to attack.

WannaCry’s ransom page requested the equivalent of $300 to $600 in Bitcoin – a relatively small sum for a business that has lost access to key data and systems. Criminals launch these attacks because they offer a serious return on investment.

WannaCry uses a back door into systems that was allegedly found by the NSA and stolen by the hacking group Shadow Brokers in April. Microsoft blamed WannaCry on the NSA Vulnerability Hoarding Program.

How can organisations stay safe?

There’s no doubt it is getting harder. Attackers are more professional and phishing emails are increasingly difficult to tell from real messages. They will look like they come from colleagues who contact you regularly. They will be well written and persuasive.

Keeping staff trained is vital, as is good general IT housekeeping. WannaCry is a reminder of how important patching is. Of course, you still need to test systems first but keeping up to date is a good first step to safety. Ransomware usually exploits known vulnerabilities – and WannaCry was no exception.

Most attacks need someone in the organisation to click on a macro or executable to get started. Think about how you can restrict this without stopping people doing their jobs.

Don’t ignore old-school attack vectors like removable media – USB sticks and even DVDs can put malware onto your network just as effectively as an emailed macro.

Also think about what happens if you do become a victim. Get your back-up systems up to scratch.

Control access to systems to those who need them – proper access controls can stop an attack wiping out the whole organisation.

However, organisations also need to accept the fact that attackers are going to get into their networks. They need to stop focusing solely on defence and protection and focus more on monitoring and rapid response. For those organisations that are already compormised with WannaCry, patching, anti-virus and backups aren't going to show them the traffic from infected machines and help them with the clean-up. Security intelligence will.