Starting on Friday May 12th reports have started to spread of a global malware that appears to have impacted tens of thousands of hosts in almost a hundred countries within a span of hours. Included amongst the high-profile victims of the campaign is the UK’s NHS who have reportedly experienced widespread outages across more than forty organisations as well as numerous GPs. Ambulance services have also been effected. The ransomware is demanding a payment worth £230 per infected host. The ransomware has now spread globally with major disruption in Germany, Taiwan and China.
Before talking about the attack I want to debunk a myth around the attack. First of all this is not a cyberattack as reported by a lot of media outlets. A cyberattack implies that somebody is targeting a specific organisation. This is indiscriminate malware exploiting a well-known and documented vulnerability within Windows. With the vulnerability exploited and the malware installed, data on the device is encrypted, ransom is demanded and the malware spreads to hosts on the Internet and on the local network exploiting the same vulnerability. This is an interesting combination of malware, ransomware and a worm. So a worm is used to spread the malware which encrypts the device and ask for ransom.
The origin of the particular vulnerability that is exploited is interesting. On April 14 a threat actor called Shadow Brokers leaked a number of exploits believed to be created by a group within the US National Security Agency called the Equation group. One remote code execution exploit in particular was particularly damaging. A remote code execution vulnerability allows an attacker to execute code on device without any credentials. The name of the exploit was EternalBlue and affect all current and most past versions of Windows including Windows XP. Microsoft released a patch for this vulnerability on the 14th of April. SecureData has been saying for the past two years that the militarisation of cybersecurity will spill over and have major effects in the civilian domain. Here is prime example of an offensive tool create by the US military being used by criminals having a devastating effect in civilian life.
How do we defend ourselves against WannaCrypt?
Despite the intimidating association of this campaign with NSA toolsets the malware spreads and operates using a standard and well-understood killchain. Breaking this killchain at any of its links will prevent infection or minimise damage. The simplest and most effective controls at this point appear to be:
- Ensure that any and all valuable systems that are not yet infected are thoroughly backed up and that the backup system is not itself connected to the network.
- Block or throttle Microsoft File Sharing traffic (SMB traffic on port 139 and 445). This should absolutely be done from the Internet and as far as possible between zones of your internal network with different levels of trust;
- Remove Windows EOL technologies from the network or patch them urgently using the special patch released by Microsoft at:
The patch is provided for the following operating systems:
- Windows XP
- Windows Vista
- Windows Server 2003
- On all other systems urgently install MS patch MS17-010:
- https://technet.microsoft.com/en-us/library/security/ms17-010.aspx (MS17-010 patch)
- http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598 (MS EoL patch)
- Ensure the killswitch within the software can operate as intended
The malware contains a very interesting feature, a killswitch. Effectively a killswitch is a feature in the software that allows it to deactivate if certain conditions are met. This is equivalent to the red self-destruct button in action movies ! Our analysis indicates a mechanism built into the code with a check to see if the malware can connect to a host name www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. If the malicious program can’t connect to the domain, it’ll proceed with the infection. If the connection succeeds, the program will stop the attack.
MalwareTech have registered this domain effectively activating the killswitch and reports are that the spread is being slowed already. Connections to this domain should therefore be allowed in order for the killswitch to work. Unfortunately this check isn’t proxy aware in other words it does not use the local device’s web proxy settings. The malware tries to connect to the website directly. If you are running an explicit web proxy you will need to make sure that the DNS address does resolve locally to an IP address and that there is one way port 80 access to this IP address on your external firewall.
Anatomy of WannaCrypt malware
The diagram below breaks down the WannaCrypt malware and shows the infection path, worm and ransomware component of the attack.
Cashing out the proceeds from the WannaCry ransomware
The indiscriminate nature of the WannaCry ransomware and the rapid spread the malware means that the proceeds from the attacks could potentially be huge. There is a major problem however for the criminals behind the WannaCry ransomware. The ransom is demanded in bitcoin with only three bitcoin wallets. Bitcoin is an older crypto currency with an open blockchain. In normal language this means that any person can have a look at the wallets in question as this is part of the blockchain. It also means that while money can be transferred into the bitcoin wallets there is a high risk for the criminals that cashing out the money can be tracked and attributed. With the extremely high profile of this attack there will be extreme scrutiny of the bitcoin wallets from law enforcement agencies.
The bitcoin addresses are as follows:
The total amount of ransom paid so far is relatively modest at 15 Bitcoin equating to around £20,000.
How can SecureData help with WannaCry and other ransomware?
SecureData can assist in a number of very specific ways with WannaCry and other ransomware.
- If you are a Managed Firewall Services customer then we have already started configuring the appropriate firewall and IPS technologies to block SMB traffic as required. If you are not aware that this has happened, wish to confirm or wish us to take further steps then please contact our Service Centre;
- If you are a Managed Vulnerability Scanning Services (MVS) Customer then we have already been scanning the relevant vulnerabilities for some time now, and you would already have received reports regarding this issue where it occurs on any systems we scan. If you are not a MVS customer, or are concerned about systems we may not already be scanning, then please contact any SecureData representative so that we may try to assist you further;
- If you are a Managed Threat Detection customer then we already have some detections in place to detect this kind of attack in its general form and are working to add additional detections to monitor for the specific attributes of the attack. Please contact us if you have any concerns or requests for specific monitoring to be put in place.
- We have a number of leading technology partners that can be used to disrupt all the elements in the ransomware killchain including phishing as a service, spam filtering, next generation anti malware and web filtering.
- SecureData’s elite consultancy division SensePost regularly assists businesses with cyberattacks including ransomware infestations. We have a 20 year track record in cybersecurity, malware and the killchain and help to minimise the damage caused by an attack or infestation.
Why this problem isn’t going away soon
We often get asked why the problem does not go away? As the diagram below shows the simple answer is that this is a business transaction with a willing buyer and a willing seller. In a sense while WannaCry was widespread it wasn’t particularly sophisticated as it used a known exploit, used only 3 bitcoin wallets and due to its indiscriminate nature raised the heat for the criminals. Other variants of ransomware will continue to operate and is based on this simple premise that the criminal has something the buyer wants and used to have i.e. their own data.
Ransomware in general
While WannaCry is the current ransomware making news the issue of ransomware that is much more targeted demanding much higher ransoms than the £230 is rife. SecureData believes and have been advocating for the past year that we are only at the start of a ransomware pandemic. Global spam volumes are rising again and the proportion of spam related to ransomware is growing rapidly. The diagram below illustrates the flow of typical ransomware. Given that remote execution exploits used by WannaCry are relatively rare most ransomware is spread via e-mail or via a user clicking on a web link to a malicious website. The key thing here is that ransomware need to exploit a vulnerability on the host system. There are a number of other vulnerabilities that could and are exploited by ransomware so it is important to secure the host operating system. While it may be very disruptive to restore a machine, data backups are one of the most effective ways of dealing with any ransomware.
In order to guard against ransomware one only have to break one part of the so called killchain involved in the ransomware attack.
The red blocks in the diagram shows security controls that need to fail for ransomware to be effective.
What next for ransomware?
While it is difficult to predict the future we believe the following trends will emerge with ransomware:
- Continued growth and spread of ransomware
- Less success with decryptors – there are sites that provide decryptors that exploit weaknesses in previous versions of ransomware. The criminals creating ransomware are getting smarter and smarter consequently these will become less successful.
- Ransomware will destroy data anyway occasionally as we have seen with rhino dehorning. This sends a message to users that it is best to pay ransom quickly.
- Newer crypto currencies will be used to hide the money trail better
- Domain fronting to the command and control (C&C) servers controlling the ransomware. This is where legitimate domains are used within Amazon, Google, Azure to hide nefarious activities.
- Serverless ransomware that does not require a C&C server
- Greater array of target types – Databases, devices, key infrastructure, mobile, iot?
- Ransomware-as-a-service, we have already seen these in the wild where criminals can subscribe in the same way as you might buy server power on Amazon or Azure.
- Ransomware pyramids – infect-a-friend if you can’t pay the ransom
- Use of Microsoft Powershell rather than macros will raise this to the next level
Other SecureData observations
At SecureData we have been advising customers regarding the two key themes represented in this campaign for some time now, namely:
- The impact of state-run cyber operations on the civilian Internet; and
- The inevitable and inexorable growth of ransomware as a Cybercrime business model.
This most recent campaign is the more recent example of these two mega-trends in actions, but the first time we have actually seen them collide in such a visible way.
Encouragingly however these events, significant as they are, still don’t demand a change in strategy from us. This campaign could have been significantly suppressed through the exercise of well understood and fundamental computer security hygiene, starting with:
- Consistent ingress and egress filtering i.e. control inbound and outbound traffic;
- Timeous and consistent patching;
And then growing to:
- Disciplined Vulnerability Testing and Management;
- User Education;
- Anti-virus and endpoint detection
- Content Filtering
These are all practices that are well understood but need to be implemented consistently in order to break the ransomware killchain and choke this persistent threat out.