5 June 2017
The WannaCryptor, aka WannaCry, attack wreaked unprecedented havoc across the globe since affecting its first victims on May 12th, 2017. Following the outbreak, various sources have suggested that over 200,000 users fell victim to the attack, across 150 countries, including the UK’s NHS and Spain’s Telefonica. At least twelve Australian businesses were also reported to have been impacted.
Broadcasters, journalists, bloggers, commentators, experts and security vendors alike, have reported on, discussed and analysed this global threat with a level of attention unheard of for a malware event in a very long time. So here’s what you need to know.
What is WannaCryptor?
WannaCryptor is a type of malicious software known as ransomware, an increasingly popular attack method deployed by cybercriminals that typically involves the illegal encryption of files or devices. A ransom is then demanded for the ‘safe recovery’ of the encrypted files or devices.
According to Nick FitzGerald, Senior Research Fellow at ESET, the WannaCryptor.D variant, responsible for the May 12th event is “unlike most encrypting-type malware as it has wormlike capabilities, allowing it to spread by itself. This worm functionality works by scanning the local network and the internet for potential victim machines, exploiting any Windows PC found without the MS17-010 update installed. That update included a patch for the so-called EternalBlue vulnerability, reputedly discovered and used by the NSA, and released by the Shadow Brokers group in April this year.”
How to know if you’ve been attacked by WannaCryptor
According to the ransomware’s messaging screens, the only way to decrypt the files is to pay the ransom. However, there is never a guarantee that once it’s paid your files will be decrypted. After all, these are cybercriminals we’re talking about. Further, with its enormous success in spreading to so many machines so quickly, an unusual design choice in this ransomware means that working out who has paid and providing the correct decryption keys to the victims is a complex procedure for the criminals behind it. Because the bitcoin blockchain is public, we can tally the payments made to the three bitcoin addresses known to be used by this malware. Based on that, as of this writing, the WannaCryptor attacks have generated over AUD$164,000 in ransom, representing payments for around 410 affected PCs.
How WannaCryptor spread
Despite numerous reports and much speculation, the original distribution mechanism of this malware remains unclear. Originally it was thought likely that WannaCryptor, or a link to it, was delivered via email spam, but this seems increasingly unlikely. Perhaps it initially spread from just one, or a small number of, manually compromised systems. It seems we may never know.
What we do know, however, is that to so quickly reach the widespread distribution it achieved, WannaCryptor successfully exploited a vulnerability in most versions of the Windows OS. Specifically, it affected machines where the MS17-010 update from March 14th had not been applied, and older Windows versions that are no longer on mainstream support and for which there was no publicly available patch.
The outbreak started early in the work-day in Europe, and was well-established, leading the news on cable television and online news sites by midday. This gave Microsoft enough lead time to publicly release the relevant patches for Windows XP, Windows 8.0 and Windows Server 2003 that it had previously only made available to its customers paying for custom support on those OSes.
These attacks have highlighted multiple flaws within some organisations, security agencies and governments. These include poor and untimely information sharing, inefficient and slow cybersecurity efforts and financial underinvestment – all of which have created a perfect storm of opportunities for cybercriminals to exploit.
ESET has created educational tools for both individual users and businesses on how to protect against WannaCryptor and other similar ransomware threats.