We all WannaCry
by Ken May
On Friday, May 12, a new ransomware, called WannaCry, began circulating throughout the United Kingdom and Spain, rapidly infecting over 400,000 exposed workstations and servers at healthcare, financial, and other business sectors. This ransomware stood out for several reasons, including being the largest ransomware attack in history, and the first widely spread ransomware worm.
I had an exciting time analyzing this as it happened. I was in San Diego for the SANS Security West 2017 Cybersecurity conference as a facilitator. We all piled into a room late one night for an emergency session, while we shared data and studied what was happening in real time. Because of some of the connections I made there, I later was able to provide some assistance to the FBI Special Agent in charge of the WannaCry investigation.
The ransomware infection is Version 2.0 of WanaCypt0r (also known as WCry, WannaCry, and WannaCryptor). Unlike previous instances, this version takes advantage of the SMB vulnerability outlined in Microsoft Security Bulletin (MS17-010). This vulnerability was first exploited by the ETERNALBLUE malware, revealed by the ShadowBrokers leak in March, and targeted the Microsoft MS17-010 SMB vulnerabilities. SMB (Server Message Block) is a protocol primarily communicating on port 445 and is designed to provide access to shared resources on a network. Last fall, Microsoft propounded system administrators to disable SMB Version 1 on systems.
According to an FBI FLASH Alert, the WannaCry ransomware infects initial endpoints via a phishing campaign or compromised RDP (remote desktop protocol). Once the ransomware gets into a network, it spreads quickly through any computers that don’t have the patch applied. The worm-like capabilities are the new feature added to this ransomware.
New instances of this ransomware worm dramatically decreased following the activation of a “kill-switch” in the ransomware. A security researcher going by the Twitter handle @MalwareTechBlog noted an unregistered domain (www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) in a sample of the malware. WannaCry checked to ensure non-registration of the domain at some point prior to infection. According to the researcher, this was likely intended as a way to prevent analysis of the malware in a sandbox. If the domain is registered, WannaCry exits the system, preventing further infection. While this doesn’t benefit victims already infected, it does curb further infection. Of course, shortly after that, a new variant began making the rounds.
At least three separate Bitcoin wallets, controlled by unknown criminals were identified as part of the ransomware campaign. As of May 25th, a total of 302 payments totaling over $126,000 had been transferred. All in all, a shockingly small amount.
Some interesting notes:
- This was patched by Microsoft back in March, so anybody who got infected is over 2 months behind on installing security updates.
- 98% of the victims were running Windows 7.
- It’s estimated that there are currently over 1 million computers connected to the internet, according to scans, that are still vulnerable, and still haven’t been updated.
Install those updates, folks!