In the middle of May, a piece of ransomware dubbed WannaCrypt or WannaCry began ripping through computer networks worldwide, downing systems as critical as the United Kingdom’s National Health Service servers and demonstrating the continuing vulnerability of our patchwork of computer systems. But what is WannaCry, how did it do so much damage and how was it stopped?
WannaCry, like many other malware and ransomware attacks, exploits legacy and unpatched Microsoft systems, which unfortunately still represent the IT backbone of many businesses and governmental organizations. In many places, the inconvenience and cost of porting over to new, better-supported and more quickly-patched versions of Windows represents a major stumbling block that a lot of organizations simply aren’t willing to cross. Thus, these organizations are often targeted by hackers, like predators going for the sick or wounded members of a herd.
The initial infection of WannaCry infiltrates into the system using an exploit dubbed EternalBlue which, according to many accounts, was developed by the National Security Agency. The exploit targets older implementations of the Server Message Block (SMB) protocol, which is generally used to coordinate access between computers, programs, printers and serial ports on a network. Once inside, the program installs a backdoor tool called Double Pulsar, then delivers the actual WannaCry payload.
This begins encrypting key files on the new host computer, effectively locking a user out from their own data and core system functions. The goal is to extort a “ransom,” which it demands from the user in the form of an anonymous bitcoin payment, while also spreading rapidly to any other vulnerable system within the network or otherwise connected to the new host machine.
While the software used to infiltrate the machines was traceable back to a leak of top-secret NSA hacking tools, the actual ransomware itself is of unknown origin, with various theories tying it back to Chinese hacking collectives and a cybercrime organization called The Lazarus Group.
For those with the interest or hacking savvy, Microsoft has released extensive documentation of the EternalBlue, Double Pulsar and WannaCry hacks on their own Windows Security TechNet blog.
The most high-profile target hit by the spread of the WannaCry malware was the NHS in the U.K., but other major organizations in Europe and Asia were also infected, including the Spanish mobile carrier Telefónica, FedEx and the German transportation/logistics firm Deutsche Bahn. The attack crippled the NHS so badly that many clinics were effectively shut down, which ended up delaying and canceling critical surgeries for patients.
“It is going to spread far and wide within the internal systems of organizations - this is turning into the biggest cybersecurity incident I’ve ever seen,” British security architect Kevin Beaumont told CNN the day after the attacks became public. “It has a ‘hunter’ module, which seeks out PCs on internal networks. So, for example, if your laptop is infected and you went to a coffee shop, it would spread to PCs at the coffee shop. From there, to other companies.”
As it turned out, some quick thinking and detective work - and not a small amount of luck - prevented the ransomware from getting broad traction on our side of the Atlantic.
As it turned out, the damage done by WannaCry ended up being contained within 24 hours, thanks to a bit of luck by a U.K. researcher known as “MalwareTech,” who found a domain name in the code that hadn’t been registered, registered it and gained access to significant capabilities within WannaCry.
“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental,” MalwareTech tweeted out on May 12. “So I can only add ‘accidentally stopped an international cyber attack’ to my résumé.”
The spread of WannaCry was limited because it was designed with its own protective measures to prevent it from being run in a “sandbox” environment, a protected network that can watch the virus spread in a controlled and measurable fashion so that it can be countered. The malware was designed to basically commit digital suicide if it encountered such circumstances, but it ran into trouble when MalwareTech registered the controlling domain.
WannaCry was stopped, but it took a lucky break to do so. Organizations that use sensitive data need to be on guard, and can’t rely on the fortunate discoveries by foreign researchers. It’s increasingly important to invest in serious tools and solutions to not only prevent cyber-intrusions, but also to deal with the consequences when digital defensive lines do break.
Once a breach has occurred - and with modern malware, it’s increasingly a question of when, not if - time is of the essence. Organizations need to be able to track down the breach quickly and discover how it occurred. Doing this rapidly will allow you to shut the attack down and take corrective action. Generally speaking, the larger the targeted organization, the more complex this endeavor becomes. Fortunately, more and more tech tools are available to aid with the process.
For example, big data solutions that empower investigators to visualize otherwise discrete connections allow these professionals to quickly and comprehensively examine large data sets and complex networks, identifying breadcrumb trails that lead directly to suspicious actors. Visallo’s platform helps detail interactions between different users, locations and platforms. As a result, Visallo users can track down fraudsters, put an end to their activities and find weak spots, which ensures the prevention of similar crimes in the future.